PCI and RHEL - A great combination
Computer security has taken the spot light over the last few years. With high-profile “incidents”, consumers, government agencies, and business partners are demanding better protection around sensitive data. Here at Red Hat, we have customers from every conceivable type of business each with their own unique nuances and concerns, but all looking to protect their data. Security has always been a priority with our software and our practices.
Any business that interacts with credit cards will have had to formulate a plan to deal with PCI compliance. PCI is short for Payment Card Industry, and is made up of the vendors that supply, back, and process credit card transactions. What you must comply with differs by precisely what your role in these credit cards transactions. The latest DSS regs can be found at https://www.pcisecuritystandards.org/security_standards/index.php
The 2.0 version for the PCI DSS has 12 areas that organizations must adhere to in order to be authorized to work with credit card data. It encompasses a holistic approach to security requiring a vigorous security and training program be established, and several technology-specific efforts that must be undertaken.
Out-of-the-box, Red Hat Enterprise Linux offers features that can help an organization meet many of these strict guidelines. Whether you're using SELinux to manage how applications communicate, sudo for privileged enity control, auditd for tracking and logging access, aide for file integrity monitoring, or LUKS for data-at-rest encryption, there are a multitude of flexible features you can leverage to acheive compliance.
One REALLY interesting thing, talking to other security professionals, PCI provides a great framework to apply even if you DON'T have to comply with it. It's a great set of best practices that can help you go above-and-beyond to protect your vital corporate and customer data.
We'd love to hear your stories about how you're leveraging RHEL or other Open Source tools to meet or surpass Compliance obligations for PCI.