logo

PCI DSS

Runops doesn’t access card data. Runops-managed components are out of the PCI scope. The only component that may access card data is the Runops agent that runs inside your infrastructure. It’s an open-source application that you can apply the same controls you have for your internal PCI-scoped applications.
Let’s dive deeper. To understand how this is possible you need to understand that the Runops architecture has two parts:
  1. the Runops Agent is a component that runs inside your infrastructure and is where you set all the configurations on CDE access, and
  1. the Runops API, which backs user interfaces, chatbot integrations, webhooks, and others. There are no configurations you can make in the Runops API (hosted by us) that have impacts on the CDE.
Runops is a super fast way to comply with PCI requirement 6.4.3, lern more here.

Runops Access Flow

Image without caption
  1. When a user makes an access request the Runops API makes it available to the agent to pull. The Agent pulls exections as they become available in the API
  1. Once the Agent finds an execution for that environment in the API it proceeds to checking the user identity. The Agent checks the signatura of the JWT generated by the session of the user that initiated the request against the JWK configuration set in the Agent.
  1. After checking the user identity, the agent then asks the Secrets Manager solution for a temporary hold of the credentials to the system being accessed.
  1. With the credentials, the agent executes the access requested by the user against the system.
  1. The results of the execution potentially containing CHD and SAD are sent to the PCI-compliant GCP service for identification and removal of CHD and SAD. The configuration of the DLP is made by the client, or the Agent in this case. If the DLP gets deactivated in GCP, the request will fail and no CHD or SAD leaves the agent.
Google Data Loss Prevention service PCI compliance can be verified here: https://cloud.google.com/security/compliance/pci-dss
  1. After ensuring that the access is clean of any CHD or SAD, the agent sends the results back to the API.
The Identity Provider and DLP configurations are set by the Agent hosted by you. It is not possible to change these configurations from outside your infrastructure in any way.
Considering that Runops Agent is already part of your PCI audit process happening inside your infrastructure, we need to analyze how the Runops API impacts the CDE.
Let’s analyze the behaviours of the Runops API with the PCI DDS Scoping Categories diagram from the Guidance for PCI DDS Scoping and Network Segmentation document:
Image without caption

CDE Systems

Image without caption

System component stores, processes, or transmits CHD,SAD

No Runops component stores CHD or SAD. The Runops Agent processes and transmits, but removes this data through the DLP process using a PCI compliant service before communicating with the Runops API. The Runops API doesn’t stores, processes, or transmits CHD,SAD.

System component is on the same network segment as system(s) that store, processes, or transmit cardholder data.

The Runops API isn’t part or has any connections to your network. The Runops Agent is the component actively connecting to the API to request work. There is no communication from the API to Agents. Only from the Agent (which is part of your PCI scope) to the API.

Connected-to or Security-impacting Systems

Image without caption

System component directly connects to CDE

Runops API has no direct connections to CDE. The Runops Agent could have direct access to CDE depending on your setup, but the agent is part of your PCI scope. The Agent is the component communicating with the Runops-hosted API. There are no communications from the API to the Agent.

System component indirectly connects to CDE

Runops API has no indirect connections to CDE. The Runops Agent could have indirect access to CDE depending on your setup, but the agent is part of your PCI scope. The Agent is the component communicating with the Runops-hosted API. There are no communications from the API to the Agent.

System component impacts configuration or security of the CDE

All configurations impacting CDE stay inside the Agent. Namely:
  1. Managing credentials of CDE systems
  1. Identity verification: ensuring that any interaction with CDE was initiated by an authorized user
  1. Data Loss Prevention: ensuring that any CHD or SAD won’t leave the CDE
Considering that all configurations impacting CDE systems are kept inside your Agent, there are no impacts to the security of the environment that could be created by the Runops-hosted API.

System component providers security services to the CDE

The component providing security to CDE services is the Runops Agent. The Runops API only builds on top of metadata generated by the Agent, clean of any CHD or SAD.

System component segments CDE systems from out-of-scope systems and networks

This is a great definition of what the Runops Agent does. The Runops API is out-of-scope exactly because of this behaviour. The Agent executes all the CDE-related work, isolating it from all other systems, including the Runops API.

System component supports PCI DDS requirements

There is a bit of work on your side on this requirement. You can’t use the Runops API as the source of truth for you audit events. So, you need to use Runops webhooks to send these events in real-time to your SIEM used to back the PCI auditing.

Out-of-Scope Systems

Image without caption

System component does NOT store, process, or transmit CHD,SAD

The open-source and self-hosted Runops Agent removes all CHD and SAD before communicating with the Runops-hosted API.

System component is NOT in the same network segment as systems that store, process, or transmit CHD,SAD

The Runops-hosted API is inside a Runops-hosted network.

System component cannot connect to any system in the CDE

The Runops-hosted API has not connection to the customers’ premises or networks. The Runops Agent (self-hosted) is the component connecting to the Runops API.

System component cannot connect to any system in the CDE

The Runops-hosted API has not connection to the customers’ premises or networks. The Runops Agent (self-hosted) is the component connecting to the Runops API.

System component does NOT meet any criteria described for connected-to or security-impacting systems

The Runops-hosted API does NOT meet these criteria as detailed in the Connected-to or Security-impacting Systems section of this document.
webhooks
soc2
Powered by Notaku
Share
Content
pci-dds
PCI DSS
Runops Access Flow
CDE Systems
System component stores, processes, or transmits CHD,SAD
System component is on the same network segment as system(s) that store, processes, or transmit cardholder data.
Connected-to or Security-impacting Systems
System component directly connects to CDE
System component indirectly connects to CDE
System component impacts configuration or security of the CDE
System component providers security services to the CDE
System component segments CDE systems from out-of-scope systems and networks
System component supports PCI DDS requirements
Out-of-Scope Systems
System component does NOT store, process, or transmit CHD,SAD
System component is NOT in the same network segment as systems that store, process, or transmit CHD,SAD
System component cannot connect to any system in the CDE
System component cannot connect to any system in the CDE
System component does NOT meet any criteria described for connected-to or security-impacting systems