The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of requirements for the safe handling of sensitive data associated with credit and debit cards. In the PCI DSS standard, this data is referred to as "cardholder data". When implemented correctly, PCI DSS helps to protect cardholder data from fraud, exfiltration, and theft. PCI DSS is mandated by credit card issuers but administered by the Payment Card Industry Security Standards Council.
Many organizations that do not store cardholder data still rely upon PCI DSS to help protect other sensitive or confidential data or metadata.
Responsibility for compliance with PCI DSS is shared among multiple parties, including card issuers, banks, software-as-a-service (SaaS) providers, and retail merchants. Compliance measures are implemented as a series of business practices, security controls, and technological solutions. An organization's compliance with PCI DSS is certified by a PCI Qualified Security Assessor (QSA).
CockroachDB Advanced has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. This certification extends the existing SOC 2 Type 2 certification of CockroachDB Advanced. SOC 2 Type 2 provides a baseline level of security controls to safeguard customer data.
This page provides information about compliance with PCI DSS within CockroachDB Advanced, describes some of the ways that CockroachDB Cloud implements and enforces compliance, and illustrates some of the types of changes you may need to implement outside of your clusters.
Features to support PCI DSS are not yet available on Azure. Refer to CockroachDB Advanced on Azure.
Overview of PCI DSS
When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's PCI DSS Quick Reference Guide, version 3.2.1, summarizes the goals and requirements of PCI DSS.
Goal | PCI DSS Requirement |
---|---|
Build and maintain a secure network and systems. |
|
Protect cardholder data. |
|
Maintain a vulnerability management program. |
|
Implement strong access control measures. |
|
Regularly monitor and test networks. |
|
Maintain an information security policy. |
|
CockroachDB Advanced is certified by a PCI QSA to be compliant with PCI DSS 3.2.1 within the DBaaS platform. Customers are still responsible to ensure that their applications are PCI DSS compliant. Customers may need to take the additional actions outlined in Responsibilities of the customer to maintain their own PCI compliance when using CockroachDB Advanced clusters for cardholder data or other sensitive data.
Responsibilities of Cockroach Labs
Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment for CockroachDB Advanced clusters meet or exceed the requirements of PCI DSS 3.2.1. Some of these actions include:
- Enforcing comprehensive security policies and standards.
- Providing periodic security training for all Cockroach Labs employees.
- Hardening our operating environments and networks according to industry standards and recommended practices, to ensure that they are secure and resilient against vulnerabilities and attacks.
- Encrypting cluster data and metadata at rest and in transit.
- Regularly scanning our environment using tools designated by PCI as Approved Scanning Vendors (ASVs) to ensure our continued compliance with PCI DSS 3.2.1, and correcting issues as quickly as possible.
- Regularly scanning our environment and software for known security vulnerabilities and applying updates and security patches in a timely manner.
- Implementing data loss prevention (DLP).
- Logging cluster actions and events, redacting sensitive information in audit logs, and retaining audit logs according to the PCI DSS logging requirements.
A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 3.2.1 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
Compliance is a shared responsibility. Be sure to read Responsibilities of the customer to support you in maintaining your own PCI DSS compliance within your cluster.
Responsibilities of the customer
For a CockroachDB Advanced cluster to meet PCI DSS standards, you must take additional steps, such as implementing security recommendations and carefully choosing business partners and vendors, and ensuring that your cardholder data or other sensitive information is protected throughout its journey into and out of your CockroachDB Advanced clusters.
It is the customer’s responsibility to know what is required for your compliance with PCI DSS and how to implement a specific requirement. The following points help to illustrate some steps that organizations might take.
A CockroachDB Advanced cluster must have the following features enabled to be used in a PCI DSS compliant manner:
- The cluster must be created as a CockroachDB Advanced private cluster. A private cluster's nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing cluster cannot be migrated to be a private cluster.
- The cluster must be created with enhanced security features. Enhanced security features cannot be changed after the cluster is created.
Single Sign-On (SSO) helps you avoid storing user passwords in CockroachDB Cloud:
- Cloud Organization SSO allows members of your CockroachDB Cloud organization to authenticate to CockroachDB Cloud using an identity from an identity provider (IdP). This integration can be done using SAML or OIDC.
- Cluster SSO allows users to access the SQL interface of a CockroachDB cluster (whether provisioned on CockroachDB Cloud or self-hosted) with the full security of SSO, and the convenience of being able to choose from a variety of SSO identity providers, including CockroachDB Cloud, Google, Azure, GitHub, or your own self-hosted OIDC.
Enable Customer-Managed Encryption Keys (CMEK), which allow you to protect data at rest in a CockroachDB Dedicated cluster using a cryptographic key that is entirely within your control, hosted in a supported key-management system (KMS) platform. It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
Enable Egress Perimeter Controls, which ensure that cluster egress operations, such as self-managed cluster backups or change data capture, are restricted to a list of specified external destinations.
Cluster log exports must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of Amazon CloudWatch or GCP Cloud Logging.
Cloud Organization audit logs automatically capture information when many types of events occur in your CockroachDB Cloud organization, such as when a cluster is created or when a member is added to or removed from an organization. You can export your CockroachDB Cloud organization's audit logs to analyze usage patterns and investigate security incidents.
Cluster audit log export automatically capture detailed information about queries being executed in your cluster.
Cockroach Labs cannot provide specific advice about ensuring end-to-end compliance of your overall system with PCI DSS or how to implement a specific requirement across all operating environments. The following are additional guidelines for a cluster to be used in a PCI DSS compliant manner:
- Before you insert cardholder data into the cluster, protect it by a combination of encryption, hashing, masking, and truncation. For an example implementation, refer to Integrate CockroachDB Advanced with Satori.
- The cryptographic materials used to protect cardholder data must themselves be protected at rest and in transit, and access to the unencrypted key materials must be strictly limited only to approved individuals.
- Within the cluster, restrict access to cardholder data on a “need to know basis” basis. Access to tables and views in the cluster that contain cardholder data must be restricted, and you are responsible to regularly test for compliance. Refer to Authorization.
- Protect networks that transmit cardholder data from malicious access over the public internet, and regularly test for compliance. For more information about protecting the cluster’s networks, refer to Network Authorization.
- Important security and stability updates are applied regularly and automatically to CockroachDB Advanced clusters. These updates include, but are not limited to, the cluster’s CockroachDB runtime, the operating systems of cluster nodes, APIs, and management utilities. Customers are notified about upcoming cluster maintenance before it happens, when it starts, and when it completes.
- If your cluster is part of a solution that includes external systems and applications that store or process cardholder data, it is your responsibility to ensure that these systems and applications, as well as their dependencies, are compliant with PCI DSS. You are responsible for regularly testing these systems and applications for known vulnerabilities and compliance violations and regularly applying updates and mitigations.