Chainguard Images are the Gold Standard for PCI DSS v4.0

The Payment Card Industry Data Security Standard (PCI DSS) v4.0 is a set of security regulations developed to protect consumer data when storing, processing, and transmitting cardholder information and sensitive authentication data. These standards are written and enforced by the big players in card processing (Mastercard, Discover, Visa, and others), and must be implemented by any company that accepts debit or credit card payments, utilizes an external vendor to accept debit or credit card payments, or manages cardholder information or authorization data. PCI DSS v4.0 became effective in April 2024 and is now becoming mandatory starting in April 2025. Non-compliance can result in fines, penalties, or, in the worst cases, the inability to process payments.

Chainguard Images is not a comprehensive solution to the entire PCI DSS framework, but it solves a few important areas of compliance around container security. Namely, Chainguard helps simplify asset management and vulnerability management. Our images also go above and beyond what is required, with STIG level hardening and FIPS cryptography. In this blog, we’ll dive deeper into each of these key PCI DSS controls.

Asset Management: Understanding Your Software Supply Chain Inventory

Similar to other compliance frameworks, one of the first steps of PCI DSS v4.0 is identifying the scope of what needs to be secured. For PCI DSS, engineering and compliance teams must fully inventory both first- and third-party components that make up the cardholder data environment (CDE), as well as any components that could impact the security of the CDE. This can be a tedious and time consuming task that requires committed headcount from the engineering team, forcing developers away from important product work to spend time creating detailed Software Bill of Materials (SBOMs), capturing software dark matter, and identifying security gaps manually in their CDE where risks can proliferate.

Chainguard Images simplifies this process. Our images come with full build-time SBOMs as code that are designed to eliminate much of the manual work needed to scope out your container footprint. Chainguard SBOMs are tool agnostic – users can leverage nearly any software composition analysis (SCA) tool and still generate consistent scan results while also capturing and documenting software dark matter. And our containers are continuously updated, freeing users from the pain of major software migrations and accreditation. Putting the pieces together: Chainguard abstracts away nearly 100% of container-related asset management complexity and controls for PCI DSS compliance.

Vulnerability Management and Reporting: The Heart of PCI DSS Compliance

One of the biggest and most time-consuming requirements in PCI DSS v4.0 are the Common Vulnerabilities and Exposures (CVE) management controls. Per Control 11.3.1, all CVEs must be identified, evaluated and managed. That means companies are required to remediate all CVEs in their environments in order to be compliant. Critical and high CVEs must be remediated within a strict 30 day SLA per Control 6.3.3. And as we’ve talked about before, CVE identification, triage, and remediation is a time consuming process that can take hundreds of hours (or more) away from your engineering team. It’s also extremely expensive, potentially costing hundreds of thousands, or even millions of dollars per year to maintain if you do it yourself.

PCI DSS v4.0 also requires that companies not only remediate CVEs in a timely manner, but also continuously document and report identified CVEs. Per Control 2.2.5, companies must report all CVEs found in their environment, with business justification for why these CVEs exist. These reports typically include a plan of action for assessing and remediating the CVE. The CVE reporting requirements for PCI DSS introduce granular and monotonous overhead, and take away more hours of your engineering team’s precious time.

Chainguard’s container images are designed to give your engineering, security, and compliance teams their time and sanity back, so they can focus on what matters most: building and maintaining world class products and services. Our containers start at zero CVEs and stay there under our best-in-class remediation SLA (7 days for critical CVEs, 14 days for high, medium, and low). They include only what is necessary to build and run your application, stripping out excess components to shrink the image attack surface. And they are built in a SLSA Level 2 hardened environment and come with full build-time SBOMs and Sigstore code signatures.

Going Above and Beyond in Container Security: FIPS and STIGs

Chainguard wants to push the bleeding edge of containerization best practices, thus striving to go above and beyond what is required for PCI DSS compliance. As such, we offer functionally equivalent FIPS-validated containers, paired with OS-level STIG hardening. Holding our images to the highest standards helps us deliver a product that can be trusted in sensitive environments and use cases. While these levels of hardening and cryptography are not required by PCI DSS, this kind of functionality is another avenue for Chainguard to deliver the highest level of container security for our customers.

Chainguard Images: Making Vulnerability Management for PCI DSS v4.0 a Breeze

Chainguard Images align directly with PCI DSS controls, saving engineering, compliance, and security teams the overhead and complexity that comes with PCI DSS compliance. Chainguard has helped many companies achieve compliance goals – let us help you.