PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site.

PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site.

Overview

The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations have had to separate out PCI-regulated data and non-regulated data to different applications for monitoring.

Datadog offers PCI-compliant Log Management and Application Performance Monitoring (APM) within the US1 site so that you can collect all of your logs, whether they are PCI-regulated or not, in one place. See Set up a PCI-compliant Datadog organization on how to get started.

Set up a PCI-compliant Datadog organization

Audit Trail must be enabled and remain enabled for PCI DSS compliance.

To set up a PCI-compliant Datadog organization, follow these steps:

  1. Contact Datadog support or your Customer Success Manager to request that the org be configured as a PCI-compliant org and discuss the necessary paperwork to complete the PCI requirements.
  2. Enable Audit Trail in the new org. Audit Trail must be enabled and remain enabled for PCI DSS compliance.
  3. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the Agent configuration file to send logs to the dedicated PCI-compliant endpoint (agent-http-intake-pci.logs.datadoghq.com):
    logs_config:
      logs_dd_url: <http://agent-http-intake-pci.logs.datadoghq.com:443|agent-http-intake-pci.logs.datadoghq.com:443>
    
    Note: The port must be included in the configuration. PCI compliance uses HTTPS log forwarding only. If you are using the Agent, you should enforce HTTPS transport.

If you have any questions about how the Log Management service satisfies the applicable requirements under PCI DSS, contact your account manager.

Audit Trail must be enabled and remain enabled for PCI DSS compliance.

To set up a PCI-compliant Datadog organization, follow these steps:

  1. Contact Datadog support or your Customer Success Manager to request that the org be configured as a PCI-compliant org and discuss the necessary paperwork to complete the PCI requirements.
  2. Enable Audit Trail in the new org. Audit Trail must be enabled and remain enabled for PCI DSS compliance.
  3. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the Agent configuration file to send spans to the dedicated PCI-compliant endpoint (https://trace-pci.agent.datadoghq.com):
    apm_config:
      apm_dd_url: <https://trace-pci.agent.datadoghq.com>
    

Further Reading

Additional helpful documentation, links, and articles: