For any organization that stores, processes, or transmits cardholder data, monitoring can pose a particular set of challenges. The Payment Card Industry (PCI) Data Security Standard (DSS) dictates rigorous monitoring and data security requirements for the cardholder data environments (CDEs) of all merchants, service providers, and financial institutions. In order to meet these requirements, many organizations have resorted to using multiple monitoring platforms, funneling PCI-regulated data and non-PCI-regulated data into separate silos. But this approach is far from ideal: it drives up overhead, creates unnecessary complexity, and diminishes the effectiveness of these organizations’ monitoring by creating disjointed data.
We’re pleased to announce that Datadog now offers PCI-compliant Log Management and Application Performance Monitoring (APM), meaning that organizations that process cardholder data can rely on Datadog as a PCI Level 1 Service Provider for all of their monitoring needs. Our PCI Level 1 certification offers a range of benefits to Datadog users, including protection against fraud and the steep fines that can result from compromised security, quarterly scanning by an Approved Scanning Vendor (ASV), File Integrity Monitoring, and the credibility that comes with the PCI seal of approval.
If your organization stores, processes, or transmits cardholder data online, you can now centralize your logging and APM with Datadog, collecting all of your logs—both PCI-regulated and not—in one place and sparing your organization the expenses and operational headaches of managing multiple monitoring tools. In this post, we’ll delve into the implications and importance of PCI compliance, guide you through some approaches to monitoring payment transactions using APM and logs, and discuss navigating a range of regulatory guidelines with Datadog.
The PCI DSS is a global benchmark for the secure processing, transmission, and storage of cardholder data. Adherence is critical for enterprise organizations, retail and ecommerce businesses, banks, and anyone else processing payments or storing sensitive payment information online. It’s not just a highly valued best practice for data security, but a prerequisite for processing payments from Visa, MasterCard, American Express, Discover, and Japan Credit Bureau credit cards.
More and more organizations are faced with the problems of managing cardholder data, and thus with the need for a PCI-compliant monitoring solution. For companies operating at an accelerated rate of innovation, with many engineering teams and integrations with third-party payment providers and APIs, determining what data is captured by monitoring and what data is needed can be difficult and convoluted. In fintech and beyond, many companies have legitimate needs—ranging from troubleshooting to compliance—for capturing this data. But for any organization that handles cardholder data online, a PCI-compliant monitoring platform should be considered a core requirement.
To achieve PCI compliance, Datadog implemented network and service-level isolation of the PCI-regulated environment, as well as data-store monitoring, authentication, encryption, and specialized data processing and redaction where cardholder data is detected. We also undergo regular auditing and certification in order to continually guarantee compliance.
Requirement 10 of the PCI DSS states that payment processors must “track and monitor all access to network resources and cardholder data.” At the same time, however, the strict PCI DSS requirements for the management of monitoring data can hamper the ability of payment processors to effectively monitor their applications and networks, often leading to the adoption of hodgepodge solutions involving multiple platforms.
Our PCI Level 1 certification eliminates the need for this type of bifurcated solution, allowing you to effectively consolidate your monitoring while ensuring your organization’s own PCI compliance. Using Datadog’s PCI-compliant Log Management and APM, you can now monitor the reliable and secure handling of cardholder data and effectively troubleshoot any issues. For example, using Datadog to monitor payment transactions and alert on payment failures or prolonged response times can help you quickly identify and investigate issues in your network or application. Creating custom dashboards and defining SLOs enables refined vigilance, allowing you to home in on pivotal health and performance indicators.
Further precision is made possible via the Log Explorer, particularly with the aid of facets and Saved Views. Log analysis can be conducted using an array of different tools, including the Log Patterns view, which automatically groups logs in order to expedite investigations, and Log Anomaly Detection, which relies on Watchdog to automatically surface deviations. Log visualization using time-series graphs, top lists, and more can also provide key troubleshooting insights, helping you quickly identify peaks and patterns.
For many organizations, the PCI DSS is just one element in a complex fabric of regulatory guidelines. Datadog provides tools for maintaining centralized governance and compliance while navigating this maze-like array, all via a unified monitoring and security platform.
Datadog Audit Trail—along with features like our Sensitive Data Scanner and Role-Based Access Control (RBAC)—helps you maintain the rigorous oversight required to keep your organization on track with the PCI DSS and other requirements. This helps you preserve transparency in addition to reinforcing governance and compliance. Audit Trail allows you to monitor the actions of every user in your organization, giving you complete visibility into access and enabling you to track and remediate configuration changes that might affect compliance. This, in turn, can help you develop governance strategies to ensure compliance going forward.
As a certified PCI Level 1 Service Provider, Datadog now offers enterprise organizations a comprehensive solution for monitoring with centralized governance within our US1 environment. Datadog Log Management and APM provide critical visibility while maintaining the airtight data security required by the PCI DSS. Datadog’s PCI compliance complements an extensive set of tools for ensuring broad transparency, compliance, and governance, including Audit Trail, Sensitive Data Scanner, and Role-Based Access Control.
Get started with Datadog today to gain comprehensive, centralized governance and visibility while ensuring PCI compliance. If you’re new to Datadog, sign up for a 14-day free trial.