PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site.

PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site.

Overview

The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations have had to separate out PCI-regulated data and non-regulated data to different applications for monitoring.

Datadog offers PCI-compliant Log Management and Application Performance Monitoring (APM) within the US1 site so that you can collect all of your logs, whether they are PCI-regulated or not, in one place. See Set up a PCI-compliant Datadog organization on how to get started.

Set up a PCI-compliant Datadog organization

To set up PCI-compliant Log Management, you must meet the following requirements:

  • Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven’t already enabled Audit Trail, it is automatically enabled once the org is configured as PCI-compliant (after following the steps below).
  • Your Datadog organization is in the US1 site.
  • All logs sent to the PCI endpoints using HTTPS only. If you are using the Agent to send logs, you should enforce HTTPS transport.
  • All your logs endpoints need to be changed to the PCI endpoints for logs.
  • You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on Datadog’s Trust Center - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support.

To begin onboarding:

  1. Contact Datadog support or your Customer Success Manager to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met.
  2. After Datadog support or Customer Success confirms that the org is ready to onboard, configure the respective configuration file to send all your logs to the dedicated PCI compliant endpoint(s):
  • agent-http-intake-pci.logs.datadoghq.com:443 for Agent traffic
  • http-intake-pci.logs.datadoghq.com:443 for non-Agent traffic
  • pci.browser-intake-datadoghq.com:443 for browser logs
  1. For example, add the following lines to the Agent configuration file:
logs_config:
  logs_dd_url: <agent-http-intake-pci.logs.datadoghq.com:443>
  1. All logs that are sent to the PCI compliant endpoint(s) automatically have a set of Sensitive Data Scanner PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enalbed for PCI DSS compliance and are included with no additional charge.

To finish onboarding and be moved to compliant:

  1. Inform your Datadog support or your Customer Success Manager that you have moved over all your endpoints to the PCI compliant endpoint(s).
  2. Once confirmed by Datadog, your Logs and Log Management is considered to be PCI-compliant.

If you have any questions about how your now PCI-compliant Log Management satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up PCI-compliant Application Performance Monitoring.

To set up PCI compliant Application Performance Monitoring, you must meet the following requirements:

  • Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven’t already enabled Audit Trail, it is automatically enabled once the org is configured as PCI-compliant (after following the steps below).
  • Your Datadog organization is in the US1 site.
  • All spans sent to the PCI endpoints using HTTPS only. If you are using the Agent to send spans, you should enforce HTTPS transport.
  • All your spans endpoints need to be changed to the PCI endpoints for spans.
  • You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on Datadog’s Trust Center - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support.

To begin onboarding:

  1. Contact Datadog support or your Customer Success Manager to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met.
  2. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the respective configuration file to send spans to the dedicated PCI compliant endpoint:
  • https://trace-pci.agent.datadoghq.com for Agent and non-Agent traffic
  1. For example, add the following lines to the Agent configuration file:
apm_config:
  apm_dd_url: <https://trace-pci.agent.datadoghq.com>
  1. All spans that are sent to the PCI compliant endpoint(s) automatically have a set of Sensitive Data Scanner PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enalbed for PCI DSS compliance and are included with no additional charge.

To finish onboarding and be moved to compliant:

  1. Inform your Datadog support or your Customer Success Manager that you have moved over all your endpoints to the PCI compliant endpoint(s).
  2. Once confirmed by Datadog, your span configuration and Application Performance Monitoring is considered PCI-compliant.

If you have any questions about how your now PCI-compliant Application Performance Monitoring satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up PCI-compliant Log Management.

Further Reading

Additional helpful documentation, links, and articles: