PCI DSS Compliance for Containerized Applications
PCI DSS Compliance for Containerized Applications
Payment Card Industry Data Security Standard (PCI DSS) compliance in containerized environments requires careful implementation of security controls. Network segmentation must isolate cardholder data environments. Access controls must restrict container access to authorized personnel. Encryption must protect data at rest and in transit. These requirements map to specific container security implementations.
Network segmentation for PCI DSS uses container network policies and service mesh technologies. Microsegmentation isolates payment processing containers from other workloads. Egress controls prevent unauthorized data transmission. Network monitoring detects anomalous traffic patterns. Documentation must clearly show network boundaries and data flows for audit purposes.
# Example: PCI DSS compliant container deployment
version: '3.8'
services:
# Payment processing service - PCI Scope
payment-processor:
image: payment-processor:1.0.0-signed
networks:
- pci-zone
deploy:
replicas: 2
placement:
constraints:
- node.labels.pci-compliant == true
resources:
limits:
memory: 512M
cpus: '0.5'
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
security_opt:
- no-new-privileges:true
- apparmor:docker-pci
- seccomp:pci-restricted.json
read_only: true
user: "10001:10001"
environment:
- LOG_LEVEL=info
- ENCRYPTION_REQUIRED=true
secrets:
- payment_encryption_key
- database_credentials
volumes:
- type: tmpfs
target: /tmp
tmpfs:
size: 100M
healthcheck:
test: ["CMD", "/healthcheck"]
interval: 30s
timeout: 3s
retries: 3
# Database - PCI Scope
payment-database:
image: postgres:14-alpine
networks:
- pci-zone
deploy:
placement:
constraints:
- node.labels.pci-compliant == true
environment:
- POSTGRES_DB=payments
- POSTGRES_INITDB_ARGS=--data-encryption
secrets:
- postgres_password
- postgres_encryption_key
volumes:
- payment-data:/var/lib/postgresql/data:rw
- ./postgres-pci.conf:/etc/postgresql/postgresql.conf:ro
command: >
postgres
-c ssl=on
-c ssl_cert_file=/etc/ssl/certs/server.crt
-c ssl_key_file=/etc/ssl/private/server.key
-c ssl_ciphers='HIGH:MEDIUM:+3DES:!aNULL'
-c log_connections=on
-c log_disconnections=on
-c log_statement=all
# Log aggregation - PCI Scope
log-collector:
image: fluentbit/fluent-bit:latest
networks:
- pci-zone
- monitoring
configs:
- source: fluent-bit-config
target: /fluent-bit/etc/fluent-bit.conf
volumes:
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- log-buffer:/var/log/fluent-bit-buffer
deploy:
mode: global
security_opt:
- no-new-privileges:true
read_only: true
# File integrity monitoring
fim-agent:
image: wazuh/wazuh-agent:latest
networks:
- pci-zone
- monitoring
volumes:
- /var/lib/docker:/var/lib/docker:ro
- /etc/docker:/etc/docker:ro
environment:
- WAZUH_MANAGER=wazuh-manager.monitoring.svc
- WAZUH_AGENT_GROUP=pci-docker
deploy:
mode: global
placement:
constraints:
- node.labels.pci-compliant == true
security_opt:
- apparmor:docker-fim
read_only: true
networks:
pci-zone:
driver: overlay
driver_opts:
encrypted: "true"
ipam:
config:
- subnet: 10.1.0.0/24
labels:
com.docker.network.pci: "true"
monitoring:
driver: overlay
driver_opts:
encrypted: "true"
internal: true
volumes:
payment-data:
driver: local
driver_opts:
type: none
device: /mnt/encrypted/payment-data
o: bind
labels:
com.docker.volume.pci: "true"
com.docker.volume.encrypted: "true"
log-buffer:
driver: local
driver_opts:
type: tmpfs
device: tmpfs
o: size=1G,mode=0700
secrets:
payment_encryption_key:
external: true
database_credentials:
external: true
postgres_password:
external: true
postgres_encryption_key:
external: true
configs:
fluent-bit-config:
file: ./configs/fluent-bit-pci.conf