The Payment Card Industry Data Security Standard (PCI DSS) is not new. It has existed for several years and provides security guidelines and best practices for the storage and processing of personal cardholder data. This article takes a look at PCI DSS 3.2 (published in April of 2016) and shows how Identity Management in Red Hat Enterprise Linux (IdM) and related technologies can help customers to address PCI DSS requirements to achieve and stay compliant with the standard. If you need a copy of the PCI DSS document it can be acquired from the document library at the following site: www.pcisecuritystandards.org
In October of 2015 Red Hat published a paper that gives an overview of the PCI DSS standard and shows how Red Hat Satellite and other parts of the Red Hat portfolio can help customers to address their PCI compliance challenges. In this post I would like to expand on this paper and drill down into more detail about
the Identity Management solution Red Hat provides and how it can be leveraged to achieve PCI DSS compliance in conjunction with other technologies as covered in the paper.
Note that this post assumes familiarity with the Red Hat IdM solution. If you're not "up-to-speed" - please review our Identity Management documentation. Also, my previous blog posts provide a good foundation for the problem space and understanding of the solution. Identity Management in Red Hat Enterprise Linux is an open source solution based on the FreeIPA community project. There is a public instance of the FreeIPA server running in the cloud that you can connect to and explore using the following link: http://www.freeipa.org/page/Demo
Since the standard is quite big I will break this article into a series of individual posts - addressing one section at a time. The following table will help in terms of mapping each section of the PCI document to each follow-up post.
It's worth mentioning that while this series is focused on IdM and its ecosystem - there are other parts of Red Hat portfolio that would allow for addressing some of the PCI DSS requirements that we did not drill down into here. For example, the OpenSCAP scanner that's integrated into Red Hat Satellite 6 allows for the regular detection of unaddressed CVEs and misconfigurations according to a defined policy. To get more information about these technologies and how they help to address PCI DSS requirements please see the Achieving and Maintaining PCI DSS Compliance with Red Hat paper on the Red Hat site.
In closing - stay tuned for my future posts on PCI DSS. If they're already live - you'll see active links in the table (above). General questions about PCI DSS and IdM? Feel free to reach out using the comments section (below).