-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add compliance content for PCI DSS 4.0 (#1781)
This adds pages and front matter for a new section to be added to our compliance documentation. It covers PCI DSS 4.0 and how Chainguard helps you fulfill requirements. All this content is new, so it deserves full attention while reviewing.
- Loading branch information
1 parent
c662972
commit adc0dce
Showing
4 changed files
with
213 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| --- | ||
| title: "PCI DSS 4.0" | ||
| linkTitle: "PCI DSS 4.0" | ||
| description: "How to prepare for PCI DSS 4.0 compliance." | ||
| type: "article" | ||
| date: 2024-08-21T14:05:09+00:00 | ||
| lastmod: 2024-08-21T14:05:09+00:00 | ||
| draft: false | ||
| images: [] | ||
| --- |
87 changes: 87 additions & 0 deletions
87
content/software-security/compliance/pci-dss-4/intro-pci-dss-4.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| --- | ||
| title: "Introduction to the PCI Data Security Standard (DSS) 4.0" | ||
| description: "How to prepare your organization to meet the requirements of PCI DSS 4.0" | ||
| lead: "How to prepare your organization to meet the requirements of PCI DSS 4.0" | ||
| type: "article" | ||
| date: 2024-08-21T14:05:09+00:00 | ||
| lastmod: 2024-08-21T14:05:09+00:00 | ||
| contributors: [] | ||
| draft: false | ||
| tags: ["compliance", "PCI DSS 4.0", "standards"] | ||
| images: [] | ||
| menu: | ||
| docs: | ||
| parent: "pci-dss-4" | ||
| weight: 001 | ||
| toc: true | ||
| --- | ||
|
|
||
| PCI DSS 4.0, or Payment Card Industry Data Security Standard, is a global standard in the payments industry that includes a set of foundational technical and operational requirements surrounding the protection of payment data. Its goal is to ensure the security of information involved when payment cards are used and while those payments are processed. PCI DSS 4.0 replaces the earlier PCI DSS 3.2.1, which was retired in March 2024. | ||
|
|
||
| Cashless transactions have become the norm around the world. This is a convenient way for buyers and sellers to transact business. It has also attracted the attention of criminals looking for easy money. Payment account information, and especially payment card and card-owner data, are especially targeted. All payment system stakeholders have a responsibility to secure this information. PCI DSS helps to alleviate vulnerabilites and protect payment account data. | ||
|
|
||
| This guide will provide a comprehensive overview of PCI DSS 4.0, detailing its practices, the importance of compliance, and practical guidance on meeting its requirements. At the end of this guide, you will learn how Chainguard Images can be used to significantly reduce the toil and time needed to achieve PCI DSS 4.0 compliance. | ||
|
|
||
|
|
||
| ## Who is Required to be Compliant? | ||
|
|
||
| The PCI Security Standards Council (PCI SSC) is a global forum for the industry to come together to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. | ||
|
|
||
| The standards developed are agreed upon by all members and provide a measure of mutual trust across the industry. The standards are not directly developed or required by governmental entities the PCI DSS is not a law, but compliance is enforced by the PCI SCC using an yearly assessment. | ||
|
|
||
| Participation and membership in the PCI SSC is open globally to those affiliated with the payments industry. Compliance is expected of all members and validated using the PCI DSS 4.0 and is assessed using a set of defined testing procedures to verify requirements are met. | ||
|
|
||
| Membership in the PCI SCC includes: | ||
|
|
||
| - **Merchants** | ||
| - **Banks** | ||
| - **Processors** | ||
| - **Hardware and software developers** | ||
| - **Point of sale vendors** | ||
| - **Payment brands**, such as Visa, Mastercard, and American Express | ||
|
|
||
| Participation in the PCI SCC is encouraged for all industry stakeholders and is required for any who wish to participate in reviewing proposed additions or modifications to the standards. | ||
|
|
||
| Regardless of membership status, all entities that store, process, or transmit cardholder data and/or sensitive authentication data are expected to comply with PCI DSS requirements. | ||
|
|
||
|
|
||
| ## What is the Importance of Protecting Payment Account Data? | ||
|
|
||
| Lax security enables criminals to steal and use consumer financial information from payment transactions and processing systems for fraudulent purposes. Vulnerabilities may appear anywhere in the card-processing ecosystem, including but not limited to: | ||
|
|
||
| - Point of sale devices | ||
| - Cloud-based systems | ||
| - Mobile devices, personal computers, and servers | ||
| - Wireless hotspots | ||
| - Web shopping applications | ||
| - Paper-based storage systems | ||
| - The transmission of cardholder data to service providers | ||
| - Remote access connections | ||
|
|
||
| These vulnerabilities may also extend to systems operated by service providers, such as the financial institutions that initiate and maintain the relationships with merchants that accept payment cards. | ||
|
|
||
| Compliance with PCI DSS helps to alleviate these vulnerabilities and protect payment account data. | ||
|
|
||
|
|
||
| ## Impact of Non-Compliance | ||
|
|
||
| PCI DSS is designed to protect both customers and entities that handle payment data. Beyond the following, a failure to comply leaves you and your customers vulnerable to data and financial losses, most of which are preventable. | ||
|
|
||
| Further, any entity that handles covered data and does not comply with PCI DSS requirements can expect: | ||
|
|
||
| - Fines and penalties from contracted partners, such as payment processors | ||
| - Data breach compensation costs, beyond just the initial losses | ||
| - Legal action | ||
| - A damaged reputation | ||
|
|
||
| These consequences may further result in cancelled contracts, additional revenue losses, and even closures. | ||
|
|
||
| Achieving compliance with PCI DSS 4.0 is not just an industry self-regulatory requirement but a critical step in safeguarding payment information. To prepare your organization for PCI DSS 4.0, continue on to the next section of our guide, [PCI DSS 4.0 Maturity Levels](/software-security/compliance/cmmc-2/cmmc-2-levels/), or read about [how Chainguard Images can help simplify fulfilling PCI DSS 4.0 requirements](/software-security/compliance/cmmc-2/cmmc-chainguard/). | ||
|
|
||
| ## Browse all PCI DSS 4.0 Articles | ||
|
|
||
| - (Current article) Introduction to PCI DSS 4.0 | ||
| - [Overview of PCI DSS 4.0 Practices/Requirements](/software-security/compliance/pci-dss-4/pci-dss-practices/) | ||
| - [How Chainguard Can Help With PCI DSS 4.0](/software-security/compliance/pci-dss-4/pci-dss-chainguard/) | ||
|
|
||
| **[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips?utm_source=docs)** |
58 changes: 58 additions & 0 deletions
58
content/software-security/compliance/pci-dss-4/pci-dss-chainguard.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| --- | ||
| title: "Simplify Your Path to PCI DSS 4.0 Compliance with Chainguard" | ||
| description: "Chainguard Images reduce the time and effort for establishing PCI DSS 4.0 compliance" | ||
| lead: "Chainguard Images reduce the time and effort for establishing PCI DSS 4.0 compliance" | ||
| type: "article" | ||
| date: 2024-08-21T14:05:09+00:00 | ||
| lastmod: 2024-08-21T14:05:09+00:00 | ||
| contributors: [] | ||
| draft: false | ||
| tags: ["compliance", "PCI DSS 4.0", "standards"] | ||
| images: [] | ||
| menu: | ||
| docs: | ||
| parent: "pci-dss-4" | ||
| weight: 005 | ||
| toc: true | ||
| --- | ||
|
|
||
| Compliance with PCI DSS 4.0, or Payment Card Industry Data Security Standard, requires adherence to strong security standards. Rigorous requirements must be met in order to secure your networks, systems, storage, and access according to the guidelines. | ||
|
|
||
| Chainguard doesn't build images specifically for PCI DSS, but our images can help you meet the requirements in many ways, easing your burden in the process of achieving compliance. Securing your software supply chain provides a solid foundation for minimizing vulnerabilities. | ||
|
|
||
| All Chainguard Images save time and costs required to triage, patch, and remediate CVEs. They are created by and officially maintained by Chainguard engineers. Our images are designed to be minimal, removing unnecessary software that is not specifically used. This eliminates a number of potential attack vectors. | ||
|
|
||
| On top of this, you must authenticate into Chainguard to use Chainguard Images, giving you reassurance of the provenance of your images. They include digitally signed [build-time SBOMs](/content/chainguard/chainguard-images/working-with-images/retrieve-image-sboms/) (software bill of materials) documenting and attesting to the full provenance. | ||
|
|
||
| Our FIPS-compliant (Federal Information Processing Standard) images, combined with STIG-hardened (Security Technical Implementation Guide) configurations, provide an even stronger foundation for meeting the requirements of PCI DSS even because they are hardened further to meet the more stringent FedRAMP requirements. | ||
|
|
||
|
|
||
| ## What are STIG-Hardened FIPS Images? | ||
|
|
||
| STIG-hardened FIPS images are pre-configured container images that have been secured according to the Security Technical Implementation Guide (STIG) standards set by the Defense Information Systems Agency (DISA). These images meet stringent federal security requirements, combining FIPS-compliant encryption with robust security configurations that protect against vulnerabilities and threats. By using STIG-hardened FIPS images, organizations ensure that their systems adhere to federal encryption standards and best practices for cybersecurity, making them particularly valuable in environments that require high levels of security. | ||
|
|
||
| ## How do Chainguard Images Help? | ||
|
|
||
| One of the main requirements of PCI DSS is to maintain a vulnerability management program. PCI DSS requires you to scan for vulnerabilites once every three months (Requirement 11.3.1) and triage and address all vulnerabilities (Requirement 11.3.11). Chainguard protects you from malicious attacks by supplying you with images where CVEs have already been dealt with, removing vulnerabilities for you. | ||
|
|
||
| PCI DCC requires that you catalog and classify vulnerabilities bespoke and third-party software (Requirements 6.3.1 and 6.3.2). You must fix all critical and high vulnerabilities and have a plan of action for the rest (Requirement 11.4.4). Chainguard does that for you. | ||
|
|
||
| Vulnerability scanners can be noisy and sifting through false positives while cataloging true vulnerabilities can be tedious work. Providing justifications for vulnerabilities that aren't applicable takes time, and that is after investigating them thoroughly. | ||
|
|
||
| Chainguard Images are carefully engineered to contain low-to-no CVEs. Organizations can use them as their source to build their applications on. The benefits of our solution are: | ||
|
|
||
| - **You’re secured by default** : Our Images contain low-to-no CVEs. Check out our I[mages Directory](https://images.chainguard.dev) yourself. | ||
| - [**Extensive scanner partnerships**](https://www.chainguard.dev/scanners): We partner with the industry-leading scanners such as Snyk, Crowdstrike, and Wiz. | ||
| - **SBOM for all Chainguard Images**: Get full transparency into the packages actually used in our images and ultimately run in your environment. | ||
| - **Less ongoing human overhead**: Every new Chainguard Image version is carefully scanned and any addressable CVEs are fixed. | ||
| - **Trust in our industry leading [CVE SLA]**(https://www.chainguard.dev/cve-sla): We are committed to supplying secure software and commit to fixing CVEs so you don’t have to. | ||
|
|
||
|
|
||
| ## Browse all CMMC 2.0 Articles | ||
|
|
||
| - [Introduction to PCI DSS 4.0](/software-security/compliance/pci-dss-4/intro-pci-dss-4/) | ||
| - [Overview of PCI DSS 4.0 Practices/Requirements](/software-security/compliance/pci-dss-4/pci-dss-practices/) | ||
| - (Current article) How Chainguard Can Help With CMMC 2.0 | ||
|
|
||
|
|
||
| **[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips?utm_source=docs)** |
58 changes: 58 additions & 0 deletions
58
content/software-security/compliance/pci-dss-4/pci-dss-practices.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| --- | ||
| title: "Overview of PCI DSS 4.0 Practices/Requirements" | ||
| description: "Learn about the practices required for PCI DSS 4.0" | ||
| lead: "Learn about the practices required for PCI DSS 4.0" | ||
| type: "article" | ||
| date: 2024-08-21T14:05:09+00:00 | ||
| lastmod: 2024-08-21T14:05:09+00:00 | ||
| contributors: [] | ||
| draft: false | ||
| tags: ["compliance", "PCI DSS 4.0", "standards"] | ||
| images: [] | ||
| menu: | ||
| docs: | ||
| parent: "pci-dss-4" | ||
| weight: 003 | ||
| toc: true | ||
| --- | ||
|
|
||
| PCI DSS 4.0, or Payment Card Industry Data Security Standard is intended for all entities that store, process, or transmit cardholder data and/or authentication data that could impact the security of the cardholder data environment. This includes all entities interacting with information such as the following: | ||
|
|
||
| | Cardholder Data | | ||
| |------------------------| | ||
| | Primary account number | | ||
| | Cardholder name | | ||
| | Expiration data | | ||
|
|
||
| | Authentication Data | | ||
| |-------------------------------------------------------| | ||
| | Full track data, such as on a magnetic stripe or chip | | ||
| | Card verification code (the number on the back) | | ||
| | PINs | | ||
|
|
||
| PCI DSS 4.0 requires compliance with a set of requirements, each related to an information security practice or goal. All of these are intended to protect cardholder data from theft and fraud. | ||
|
|
||
|
|
||
| ## PCI DSS 4.0 Goals and Requirements | ||
|
|
||
| Below is a table overview with a high-level description of the goals and requirements, summarized from the PCI DSS v4.0 Quick Reference Guide from the PCI Security Standards Council, available from their [Document Library](https://east.pcisecuritystandards.org/document_library): | ||
|
|
||
| | Goals | Requirements | | ||
| |------------------------|-------------------------------------------------------| | ||
| | **Build and maintain a secure network and systems** | Install and maintain network security controls and apply secure configurations to all system components | | ||
| | **Protect account data** | Protect stored account data as well as during transmission over open, public networks | | ||
| | **Maintain a vulnerability management program** | Protect all systems and networks from malicious software, develop and maintain secure systems and software | | ||
| | **Implement strong access control measures** | Restrict access to system components and cardholder data y business need to know, identify users and authenticate access to system components, restrict physical access to cardholder data | | ||
| | **Regularly monitor and test networks** | Log and monitor all access to system components and cardholder data, test security of all systems regularly | | ||
| | **Maintain an information security policy** | Support information security with organizational policies and programs | | ||
|
|
||
| For a list of all required practices, see the PCI DSS documentation available in the [PCI Security Standards Council's Document Library](https://east.pcisecuritystandards.org/document_library). | ||
|
|
||
|
|
||
| ## Browse all PCI DSS 4.0 Articles | ||
|
|
||
| - [Introduction to PCI DSS 4.0](/software-security/compliance/pci-dss-4/intro-pci-dss-4/) | ||
| - (Current article) Overview of PCI DSS 4.0 Practices/Requirements | ||
| - [How Chainguard Can Help With PCI DSS 4.0](/software-security/compliance/pci-dss-4/pci-dss-chainguard/) | ||
|
|
||
| **[Get started with Chainguard FIPS Images today!](https://images.chainguard.dev/?category=fips?utm_source=docs)** |