The Payment Card Industry Data Security Standard (PCI DSS) is required for any organization that stores, processes, or transmits cardholder data. The current version is PCI DSS v4.0.1.
Reference: PCI Security Standards Council
Requirements Mapping
| PCI DSS Requirement | Description | Rediacc Capability |
|---|---|---|
| Req 1, Network security controls | Install and maintain network security controls | Per-repository iptables rules block all cross-repository traffic. Each repository gets its own loopback IP subnet (/26). |
| Req 2, Secure configurations | Apply secure configurations to all system components | Rediaccfile lifecycle hooks enforce deterministic, reproducible configurations. No default credentials. LUKS keys are operator-generated. |
| Req 3, Protect stored account data | Protect stored account data with encryption | LUKS2 AES-256 encryption on all repository volumes. Encryption is mandatory, not optional. Cryptographic erasure via LUKS key destruction. |
| Req 4, Protect data in transit | Protect cardholder data with strong cryptography during transmission | All remote operations over SSH. Backup transport encrypted end-to-end. No unencrypted data paths. |
| Req 6, Secure development | Develop and maintain secure systems and software | CoW cloning creates isolated test environments without exposing production cardholder data to development networks. Fork-test-promote workflow. |
| Req 7, Restrict access | Restrict access to system components and cardholder data by business need to know | Per-repository Docker daemon sockets. Access to one repository does not grant access to another. SSH key-based authentication. |
| Req 8, Identify users and authenticate | Identify users and authenticate access to system components | SSH key authentication. API tokens with IP binding and scoped permissions. Two-factor authentication (TOTP). |
| Req 9, Restrict physical access | Restrict physical access to cardholder data | Self-hosted: physical security is under your direct control. LUKS encryption renders stolen drives unreadable. |
| Req 10, Log and monitor | Log and monitor all access to system components and cardholder data | 70+ event types (auth, API tokens, config, licensing, machine operations). Admin dashboard and portal with filtering by user, team, type, and date. rdc audit CLI for programmatic export. Machine operations also in system logs for defense in depth. |
| Req 12, Organizational policies | Support information security with organizational policies and programs | Self-hosted eliminates third-party processor scope (Req 12.8). Reduces PCI DSS compliance boundary. |
Network Segmentation
PCI DSS places heavy emphasis on network segmentation to isolate the cardholder data environment (CDE). Rediacc provides this by architecture:
- Each repository runs in its own Docker daemon at
/var/run/rediacc/docker-<networkId>.sock - Repositories have isolated loopback IP subnets (127.0.x.x/26, 61 usable IPs per network)
- iptables rules enforced by renet block all cross-daemon traffic
- Containers from different repositories cannot communicate at the network level
A payment processing repository is network-isolated from all other applications on the same machine. No additional firewall configuration needed.
Scope Reduction
Self-hosted Rediacc reduces PCI DSS compliance scope:
- No third-party cloud provider in the cardholder data flow
- No SaaS vendor to evaluate under Req 12.8 (third-party service providers)
- Physical security controls are under your direct management
- Encryption keys are stored only in the operator’s local config
Enforcement Cases
Poor network segmentation and missing encryption have led to costly PCI DSS enforcement actions:
- Heartland Payment Systems (2008): attackers moved laterally across 48 databases due to poor network segmentation, exposing 130 million card numbers. Total cost exceeded $200 million.
- Target (2013): attackers pivoted from an HVAC vendor’s network access to point-of-sale systems due to flat network architecture, capturing 40 million payment cards. Settled for $18.5 million with 47 state AGs.