PCI DSS 準拠

APM およびログ管理における PCI DSS 準拠は、US1 サイトの Datadog 組織でのみ利用可能です。

APM およびログ管理における PCI DSS 準拠は、US1 サイトの Datadog 組織でのみ利用可能です。

概要

Payment Card Industry (PCI) データセキュリティ基準 (DSS) には、すべての加盟店、サービスプロバイダー、および金融機関を対象とした厳格な監視およびデータセキュリティの要件が定められています。これらの要件を満たすために、組織は PCI で規制されるデータと規制されないデータを別のアプリケーションに分離して監視する必要がありました。

Datadog は、PCI に準拠したログ管理およびアプリケーションパフォーマンス監視 (APM) の機能を US1 サイト内で提供しており、PCI の規制対象かどうかにかかわらず、すべてのログを 1 か所に集めることができます。開始方法については、PCI 準拠の Datadog 組織をセットアップするを参照してください。

PCI 準拠の Datadog 組織をセットアップする

    To set up PCI-compliant Log Management, you must meet the following requirements:

    • Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven’t already enabled Audit Trail, it is automatically enabled once the org is configured as PCI-compliant (after following the steps below).
    • Your Datadog organization is in the US1 site.
    • All logs sent to the PCI endpoints using HTTPS only. If you are using the Agent to send logs, you should enforce HTTPS transport.
    • All your endpoints need to be changed to the PCI endpoints.
    • You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on Datadog’s Trust Center - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support.

    To begin onboarding:

    1. Contact Datadog support or your Customer Success Manager to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met.
    2. After Datadog support or Customer Success confirms that the org is ready to onboard, configure the respective configuration file to send all your logs to the dedicated PCI compliant endpoint(s):
    • agent-http-intake-pci.logs.datadoghq.com:443 for Agent traffic
    • http-intake-pci.logs.datadoghq.com:443 for non-Agent traffic
    • pci.browser-intake-datadoghq.com:443 for browser logs
    1. For example, add the following lines to the Agent configuration file:
    logs_config:
  logs_dd_url: <agent-http-intake-pci.logs.datadoghq.com:443>
    1. All logs that are sent to the PCI compliant endpoint(s) automatically have a set of Sensitive Data Scanner PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enalbed for PCI DSS compliance and are included with no additional charge.

    To finish onboarding and be moved to compliant:

    1. Inform your Datadog support or your Customer Success Manager that you have moved over all your endpoints to the PCI compliant endpoint(s).
    2. Once confirmed by Datadog, your Logs and Log Management is considered to be PCI-compliant.

    If you have any questions about how your now PCI-compliant Log Management satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up PCI-compliant Application Performance Monitoring.

    To set up PCI compliant Application Performance Monitoring, you must meet the following requirements:

    • Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven’t already enabled Audit Trail, it is automatically enabled once the org is configured as PCI-compliant (after following the steps below).
    • Your Datadog organization is in the US1 site.
    • All spans sent to the PCI endpoints using HTTPS only. If you are using the Agent to send spans, you should enforce HTTPS transport.
    • All your endpoints need to be changed to the PCI endpoints.
    • You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on Datadog’s Trust Center - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support.

    To begin onboarding:

    1. Contact Datadog support or your Customer Success Manager to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met.
    2. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the respective configuration file to send spans to the dedicated PCI compliant endpoint:
    • https://trace-pci.agent.datadoghq.com for Agent and non-Agent traffic
    1. For example, add the following lines to the Agent configuration file:
    apm_config:
  apm_dd_url: <https://trace-pci.agent.datadoghq.com>
    1. All spans that are sent to the PCI compliant endpoint(s) automatically have a set of Sensitive Data Scanner PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enalbed for PCI DSS compliance and are included with no additional charge.

    To finish onboarding and be moved to compliant:

    1. Inform your Datadog support or your Customer Success Manager that you have moved over all your endpoints to the PCI compliant endpoint(s).
    2. Once confirmed by Datadog, your span configuration and Application Performance Monitoring is considered PCI-compliant.

    If you have any questions about how your now PCI-compliant Application Performance Monitoring satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up PCI-compliant Log Management.

    その他の参考資料

    お役に立つドキュメント、リンクや記事:

    Datadog から PCI に準拠したログ管理と APM を発表ブログ more more