Just wondering - is anyone out there using Docker containers in the payment card industry? Any issues with the DSS standars?
Yes we just passed a level 1 PCI compliance but it took some customization of the base server and registry. Once you have those done you’re good to go.
@jruffer are you able to throw some light on what are the customizations and/or why they are required?
Certainly. I am going to do an article on it early next week. If you want
to throw me a network diagram in the meantime I am happy to tell you what
is in scope.
Our plan is to put up a registry for just projection purpose only, on a separate subnet from production servers. These will then be treated as within scope.
Just curious what are those customizations alluded to? Are they network based or the docker and registry application themselves?
@jruffer, have you written that article? I’m interested to see what is required to make a docker container PCI compliant. My guess is the container needs to be custom-built as far as possible and run on a self-managed registry. The container is read-only, so is an anti-virus still required inside the docker image or can it just be installed on the host machine where the docker images are running?
My apologies. I switched projects after achieving PCI level 1 compliance. Shoot me an email I’ll try to help
not sure how to send you an email, but you may take my email address
email@example.com and send me one so I have your email address
@jruffer did you get my email address?
A concrete crisp guide for Docker PCI-DSS compliance https://info.twistlock.com/guide-to-pci-compliance-for-containers