What’s New in OpenShift 3.6 – PCI Product Applicability

Oftentimes people ask the question "is software X PCI compliant?" The reality is that software itself is neither compliant nor non-compliant. The question comes from a well-intentioned place (a desire to pass a PCI assessment) but it is actually not the right question to ask. PCI compliance and passing a PCI assessment is much more about policy, procedure, and configuration than any particular feature or function. The PCI DSS is a set of baseline technical and operational requirements that establishes consistent data security measures.

OpenShift Container Platform is a container orchestration solution that enables organizations to run both cloud-native and traditional applications, in containers, at scale. These applications may contain cardholder data (CHD) or not (non-CHD). The platform itself is subject to the various requirements established in the PCI DSS, but do not forget that the underlying operating system (Red Hat Enterprise Linux or Red Hat Enterprise Linux Atomic Host) is part of the overall solution. As such, it, too, is subject to the standards.

Red Hat engaged Coalfire Systems, Inc., a respected Payment Card Industry Qualified Security Assessor (QSA) company, to conduct an independent technical assessment of OpenShift Container Platform running on RHEL and/or Atomic Host. The applicability guide examines the PCI DSS through the eye of a QSA and identifies where the various requirements apply, or do not apply, to the overall solution. Overall, Red Hat and Coalfire came to the conclusion that OpenShift could be configured and deployed in a way that would satisfy the PCI DSS, and we produced a Product Applicability Guide (PAG) to help you understand these opinions.

The guide includes a good deal of background information as well as useful tables that depict how the various PCI DSS requirements apply and, where relevant, provide insight into how either OpenShift, RHEL/Atomic Host, or additional software can help to meet the requirement.

Remember, PCI assessment is a multi-faceted process and your relationship with your auditor is important. Take a look at the PCI PAG for OpenShift Container Platform and go over it with your QSA. You will be glad you did!