How Canonical enables PCI-DSS compliance

Anyone who deals with online payments will have heard of PCI-DSS. The Payment Card Industry Data Security Standard is a comprehensive security control framework that is designed to keep payment card data safe from hackers and misuse. Merchants who accept debit or credit card payments (and service providers who process this information) will know this standard particularly well, as it’s a mandatory requirement for them to ply their trades. The latest iteration of the standard – v4.0.1 – came out in June 2024, and is free to download from the PCI Security Standards Council site.

In this blog we’ll look more closely at the greatest challenges in deploying and operating within PCI-DSS environments, examine some of the open source technology options you could use to resolve these issues, and how Canonical delivers ideal implementations of these software components.

PCI-DSS overview

The 12 sections of the PCI standard provide a detailed set of recommendations for building and operating a secure infrastructure deployment, and can be summarised within these categories:

• Build and maintain a secure network and systems
• Protect account data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Technology choices

Unfortunately, it’s not possible to magically deploy a particular technology stack and become PCI compliant, as the PCI requirements focus quite strongly on the operational aspects of managing and maintaining IT systems. There are some key areas you should focus on when choosing the right building blocks to become and stay compliant though, which we’ll cover further in this article. As a supplier of software components, Canonical isn’t in a position to provide security policies, but we do what we can to support our customers to use these components in a secure and compliant fashion.

Vulnerability management

Patching vulnerabilities is an integral part of any security programme, and indeed PCI-DSS requires administrators to fix any critical or high severity vulnerabilities found within their IT estate within a month, and lower severity issues as appropriate.

Ubuntu Pro provides security vulnerability fixes for critical, high and selected medium severity vulnerabilities across all the software packages that are available within the Ubuntu ecosystem. This covers not just the base Operating System, but also the majority of open source applications that developers use today, such as web servers, databases, application runtimes and more – totalling some 25,000+ software packages. And for each Ubuntu release you get a 10 year security maintenance guarantee.

Ubuntu Security Guide

Part of building and maintaining secure systems is about configuring systems according to established hardening standards, and section 2.2.1 of PCI-DSS requires administrators to adhere to industry hardening guides such as those provided by CIS (the Center for Internet Security), NIST or others.

Hardening standards such as the CIS benchmarks contain many hundreds of individual configuration items that can be daunting to try and implement manually, which is why Canonical provides the Ubuntu Security Guide (USG), a tool to simplify the hardening process into a 1-step operation. USG includes profiles for the CIS benchmarks (desktop & server), as well as the DISA STIG (based on NIST 800-171 recommendations) for US Federal use cases.
USG is available as part of Ubuntu Pro, the enterprise security subscription service that sits on top of regular Ubuntu.

Open source software

Many of the other technology requirements within PCI-DSS can be satisfied through the use of Linux capabilities, such as deploying software firewalls for host machines, using disk encryption to protect sensitive data, and logging and monitoring system activity to detect suspicious behaviour. Indeed, when it comes to the latest hot topic in technology – AI – running machine learning models and data science workflows is only possible with open source systems.

Financial Service enterprises are increasingly making use of open source, Linux and Ubuntu, to build fast, efficient, performant and compliant platforms and applications. You can read more about this in our whitepaper here, an in-depth look at how open source adoption within the financial sector is leading to reduced costs, faster innovation and agility, and opens up an exciting avenue to deploying AI models and workflows, all building on the secure and compliant foundations provided by Canonical. You can find out more about how Canonical delivers security at all layers of your technology stack by visiting our dedicated secure open source web page.

Asset management with Landscape

A key part of any security compliance programme such as PCI-DSS is keeping an accurate inventory of your assets. Canonical has developed Landscape to help with this. Available as part of Ubuntu Pro, Landscape monitors systems through a local agent, enabling health metrics, vulnerability status and hardening profiles to be centrally managed through a single dashboard. Landscape provides a complete overview of your Linux estate, and allows you to easily ensure all systems are correctly patched and configured.

Ubuntu Pro for security and compliance

Open source software is freely available for everyone to use, but once you’ve downloaded it from the internet you could well be on your own with no help to understand how to correctly configure and deploy the application, keep it secure over the lifetime of the platform, or demonstrate to auditors that the system is compliant with standards such as PCI-DSS. This is where Ubuntu Pro comes in: we provide one single trusted source of open source software, we have a team of experts on hand to help you with your deployment, we guarantee to provide security updates for 10 years, and give you tools to keep the auditors happy. Ubuntu Pro is free to test out on up to 5 machines with a simple sign-up process.

Conclusion

More and more enterprise customers are taking advantage of Ubuntu Pro to fulfil their compliance needs. PCI-DSS places numerous security controls on organisations, many of which can be satisfied by using Linux technology, and we created Ubuntu Pro to give customers the extra security and compliance guarantees they need to deploy their applications and services in accordance with PCI-DSS directives.

Recommended reading:

• Case study with Brazilian financial services company Sicredi
• Case study with LaunchDarkly’s FedRAMP authorisation
• Whitepaper: 9 out of top 10 US & European financial institutions use Ubuntu
• Ubuntu Pro datasheet