PCI DSS Compliance

PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site.

PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site.

Overview

The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations have had to separate out PCI-regulated data and non-regulated data to different applications for monitoring.

Datadog offers PCI-compliant Log Management and Application Performance Monitoring (APM) within the US1 site so that you can collect all of your logs, whether they are PCI-regulated or not, in one place. See Set up a PCI-compliant Datadog organization on how to get started.

Set up a PCI-compliant Datadog organization

    Audit Trail must be enabled and remain enabled for PCI DSS compliance.

    To set up a PCI-compliant Datadog organization, follow these steps:

    1. Contact Datadog support or your Customer Success Manager to request that the org be configured as a PCI-compliant org and discuss the necessary paperwork to complete the PCI requirements.
    2. If not already enabled, Audit Trail is automatically enabled when the org is configured as PCI-compliant. Audit Trail must be enabled and remain enabled for PCI DSS compliance.
    3. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the respective configuration file to send logs to the dedicated PCI-compliant endpoint:
    • agent-http-intake-pci.logs.datadoghq.com:443 for Agent traffic
    • http-intake-pci.logs.datadoghq.com:443 for non-Agent traffic
    • pci.browser-intake-datadoghq.com:443 for browser logs

    For example, add the following lines to the Agent configuration file:

    logs_config:
  logs_dd_url: <agent-http-intake-pci.logs.datadoghq.com:443>

    Note: The port must be included in the configuration. PCI compliance uses HTTPS log forwarding only. If you are using the Agent, you should enforce HTTPS transport.

    If you have any questions about how the Log Management service satisfies the applicable requirements under PCI DSS, contact your account manager.

    Audit Trail must be enabled and remain enabled for PCI DSS compliance.

    To set up a PCI-compliant Datadog organization, follow these steps:

    1. Contact Datadog support or your Customer Success Manager to request that the org be configured as a PCI-compliant org and discuss the necessary paperwork to complete the PCI requirements.
    2. If not already enabled, Audit Trail is automatically enabled when the org is configured as PCI-compliant. Audit Trail must be enabled and remain enabled for PCI DSS compliance.
    3. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the Agent configuration file to send spans to the dedicated PCI-compliant endpoint (https://trace-pci.agent.datadoghq.com):
      apm_config:
  apm_dd_url: <https://trace-pci.agent.datadoghq.com>

    Further Reading

    Additional helpful documentation, links, and articles:

    Announcing PCI-Compliant Log Management and APM from DatadogBLOG more more