From the earliest days of Twistlock, we’ve always tried to build things that solve real problems for customers. If we’ve talked, you’ve probably heard me mention that >60% of the features we’ve shipped have been co-designed with a customer (or several) based on their own security and operational requirements. That mindset doesn’t stop at the product bits though; we’ve also invested many hours in creating comprehensive documentation and support systems as well.
In recent months, we’ve been proud to win dozens of new customers, many of which are in financial services or, at the very least, process credit card transactions (involving American Express, JCB, Mastercard, Visa, Discover, and other card brands) on behalf of their own customers–which means they interact with cardholder data on a regular basis. These organizations want to leverage all the great benefits of containers across their environment, even in the most sensitive areas that deal with cardholder data.
At the same time, these environments are subject to a variety of regulatory and compliance requirements, though, so to be able to take a new technology into them requires being able to operate it in a way that they can meet the payment card industry data security standards and hold up to the scrutiny of even the most demanding of security assessors. Let’s face it: when it comes to payment card data, non-compliance to security standards is dangerous because it only takes one security breach to destroy a company’s reputation.
As we worked with these customers, we realized that while there’s a lot of great information on container security in general, like the Center for Internet Security’s Docker Security Benchmark and OpenShift’s Docker Security eBook, there’s relatively little information specifically about PCI compliance for containers (and exactly what is PCI compliance). So, in the spirit of helping customers solve real problems, we decided to change that through two main actions.
First, we’re proud to announce today that Twistlock has joined the PCI Security Standards Council as a new Participating Organization. We’ll work with the Council to achieve and improve payment data security worldwide through the ongoing development of the PCI Security Standards, including the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS). This activity supports the security of stored card information as well as the transmission of cardholder data, helping service providers develop a clear cut security policy that is PCI compliant.
As a Participating Organization, Twistlock adds its voice to the data security standards setting process and will receive previews of drafts of standards and supporting materials in order to provide feedback to shape their final versions, as well as engage a growing community of more than 700 organizations united to improve payment security worldwide. Because Twistlock is specifically focused on full stack container security, we’re able to provide a deep, technically relevant perspective to help integrate container thinking into these future PCI standards and guidance.
Second, we invested significant R&D time to build, test, and document a detailed guide specifically focused on PCI compliance for containers. This first of its kind document is designed to provide clear alignment between the PCI DSS requirements, container ecosystem capabilities, and specific features customers can use within Twistlock to help enforce compliance–think of it like a checklist for maintaining and achieving PCI compliance. Our guide breaks down the data security standard section by section, discusses threats and countermeasures, and provides specific implementation guidance to help you implement necessary controls, including critical tools such as a self-assessment questionnaire to help you see where you stand with respect to PCI DSS compliance. It also helps you understand issues such as why you need to develop a vulnerability management program, what kind of security parameters are involved, why you need a secure system rather than relying on a public network, the role that anti-virus software and firewall configurations play, and how to implement access control measures to limit data breaches involving not just credit card data but the sensitive authentication data that goes with it. All the recommendations in the guide are fully tested and supported directly by us for our customers.
Since so many organizations rely on electronic payments today, we hope these actions will be broadly valuable to everyone using containers and we’re happy to make the guidance available for free on twistlock.com.
- Download the guide to PCI Compliance for Containers and know the ins and outs of the PCI DSS requirements!
- Read about how Twistlock is protecting customers from the Cisco CloudCenter CVE through compliance enforcement.
- Check out other articles pertaining to Compliance for Containers.
- Twistlock 2.0 version is released, which contains a feature called Compliance Explorer.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How My Company (Teckro) Uses ContainersRead the Blog
Mitigating CVE-2019-5736 Impacting RunC and DockerRead the Blog
From Agile to DevSecOps and DevOps SecurityRead the Blog
What’s Next for Cloud-Native Infrastructure Technology?Read the Blog
Cloud Native Security Beyond Your Cloud Vendor’s ToolsRead the Blog