[himanshuy]

Is Docker PCI compliant? My application deals with a lot of PII data. There was a lot of concern in my team over SOC-2 and PCI compliance when I suggested using Docker. We also talked to one of the solution architects from Amazon and he wasn't sure if Docker is ready for PII data.

[sarnowski]

A single software piece can't be PCI compliant but only how you use it.

You have to argue that Docker uses the Linux isolation mechanisms that make those containers virtual machines in the sense and spirit of PCI.

Treating containers as VMs makes some other requirements even easier like the request to have a minimal system and to only have one function per server - thats how you want containers to work anyway.

(Btw PCI has nothing to do with PII.)

[Diederich]

> solution architects from Amazon and he wasn't sure if Docker is ready for PII data.

I'm curious if you can relate what his reasoning was?

Docker is, among other things, a wrapper around a bunch of Linux kernel functions, the likes of which have been used for many, many years by companies like Google to facilitate all kinds of useful isolation.

[paulddraper]

I think it's pretty well agreed that multi-tenant Docker isn't a good security solution.

Use it for for operational isolation, not for critical security isolation.

[Diederich]

That's what I've heard as well, and I agree with that assessment, given that the requirement is to separate untrusted code execution.

At the same time, going back to the initial quote:

> solution architects from Amazon and he wasn't sure if Docker is ready for PII data

A lot of companies are using containers to execute code that manages all kinds of regulated data right now, ya?

The security limitations of Linux namespaces and friends are mostly related to the execution of untrusted code.

[diogomonicapt]

You can make a PCI compliant installation w/ Docker yes.