Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program. BUSINESS plan free for life.

PCI DSS Compliance

How Rediacc meets PCI DSS requirements: immutable backups, automatic network isolation, and access control at the infrastructure level.

Look, PCI DSS v4.0.1. is not optional if you handle cardholder data. Version 4.0.1. comes down to one requirement: infrastructure-level isolation from everything else.

Reference: PCI Security Standards Council

Requirements Mapping

PCI DSS RequirementDescriptionRediacc Capability
Req 1, Network security controlsInstall and maintain network security controlsPer-repository iptables rules block all cross-repository traffic. Each repository gets its own loopback IP subnet (/26).
Req 2, Secure configurationsApply secure configurations to all system componentsRediaccfile lifecycle hooks enforce deterministic, reproducible configurations. No default credentials. LUKS keys are operator-generated.
Req 3, Protect stored account dataProtect stored account data with encryptionLUKS2 AES-256 encryption on all repository volumes. Encryption is mandatory, not optional. Cryptographic erasure via LUKS key destruction.
Req 4, Protect data in transitProtect cardholder data with strong cryptography during transmissionAll remote operations over SSH. Backup transport encrypted end-to-end. No unencrypted data paths.
Req 6, Secure developmentDevelop and maintain secure systems and softwareCoW cloning creates isolated test environments without exposing production cardholder data to development networks. Fork-test-promote workflow.
Req 7, Restrict accessRestrict access to system components and cardholder data by business need to knowPer-repository Docker daemon sockets. Access to one repository does not grant access to another. SSH key-based authentication.
Req 8, Identify users and authenticateIdentify users and authenticate access to system componentsSSH key authentication. API tokens with IP binding and scoped permissions. Two-factor authentication (TOTP).
Req 9, Restrict physical accessRestrict physical access to cardholder dataSelf-hosted: physical security is under your direct control. LUKS encryption renders stolen drives unreadable.
Req 10, Log and monitorLog and monitor all access to system components and cardholder data70+ event types (auth, API tokens, config, licensing, machine operations). Admin dashboard and portal with filtering by user, team, type, and date. rdc audit CLI for programmatic export. Machine operations also in system logs for defense in depth.
Req 12, Organizational policiesSupport information security with organizational policies and programsSelf-hosted eliminates third-party processor scope (Req 12.8). Reduces PCI DSS compliance boundary.

Network Segmentation

PCI DSS leans hard on segmentation. I keep seeing teams layer iptables rules on top of insufficient isolation. That doesn’t work. The teams that pass have segmentation built into the architecture. Rediacc gives you that by default:

  • Each repository runs in its own Docker daemon at /var/run/rediacc/docker-<networkId>.sock
  • Repositories have isolated loopback IP subnets (127.0.x.x/26, 61 usable IPs per network)
  • iptables rules enforced by renet block all cross-daemon traffic
  • Containers from different repositories cannot communicate at the network level

A payment processing repository runs on its own Docker daemon and its own loopback subnet, network-isolated from every other application on the same machine. No extra firewall rules to write.

Scope Reduction

Self-hosted Rediacc reduces compliance scope. You don’t need to manually configure network segmentation; it’s automatic by design. Our documentation for this part still needs work, but the isolation is solid.

  • No third-party cloud provider in the cardholder data flow
  • No SaaS vendor to evaluate under Req 12.8 (third-party service providers)
  • Physical security controls are under your direct management
  • Encryption keys are stored only in the operator’s local config

Enforcement Cases

Most PCI audit failures come down to one of two things: segmentation that was never properly isolated, or encryption that was never tested against real attacks.

  • Heartland Payment Systems (2008): attackers moved laterally across 48 databases due to poor network segmentation, exposing 130 million card numbers. Total cost exceeded $200 million.
  • Target (2013): attackers pivoted from an HVAC vendor’s network access to point-of-sale systems due to flat network architecture, capturing 40 million payment cards. Settled for $18.5 million with 47 state AGs.