We are thrilled to announce that CockroachDB Dedicated, the fully managed service of CockroachDB, is now PCI-DSS certified by a Qualified Security Assessor (QSA) as a PCI Level 1 Service Provider.
The PCI-DSS was created by the PCI Security Standards Council - an organization formed in 2006 by the major credit card associations (Visa, American Express, MasterCard and JCB). The mission of this council is to establish a “minimum security standard” to protect customers’ payment information. Any business that handles credit card and payment data is required to conform to that minimum standard referred to as the Payment Card Industry (PCI) Data Security Standard (DSS).
Becoming certified against the PCI-DSS is a responsibility that falls primarily on the shoulders of security and legal teams. Generally speaking, it is required that each piece of infrastructure or software that can impact the security of customer payment data be certified against the standard. And then there are customers who may not have payment related workloads and data, but they value PCI-DSS as one of the gold standards of platform security hygiene, which makes the decision to onboard such platforms relatively easier. It applies to companies in industries like Financial Services, Retail, SaaS / PaaS etc. More specifically, PCI-DSS certification is based on a rigorous list of built-in platform security guardrails like vulnerability management, system hardening, redacted logging, and encryption.
To certify a system comprehensively is a multi-quarter project. The most critical and often the most time-consuming tool to get certified within an overall system is the database.
There are actually multiple approaches to PCI-DSS based on the business requirements of an organization. Companies may qualify for a Self Assessment Questionnaire (SAQ) including PCI-DSS SAQ A, SAQ B, SAQ C, or SAQ D. Alternatively, for large scale merchants or service providers like Cockroach Labs, a more comprehensive assessment is undertaken including an audit of the entire set of PCI-DSS requirements.
Many of CockroachDB’s existing customers have deployed the self-hosted version of CockroachDB in systems that handle confidential data (which often include payment data) because that was the best way to get the resilience, consistency, and power of CockroachDB while also keeping a close eye on vulnerability management, patch management, software hardening, and other security requirements.
CockroachDB Dedicated’s certification means that security and legal teams can trust our managed service to store various levels of confidential customer data in a secure manner. This will simplify and speed up the process of achieving certification against PCI-DSS for entire systems. It will help engineering teams improve their operational efficiency by offloading software management, reliability, and maintenance to a service provider that meets PCI-DSS security and compliance requirements. And it will make it easier for more businesses to adopt CockroachDB Dedicated to take advantage of the enhanced efficiency of a fully managed distributed SQL database.
This certification adds onto the existing SOC 2 Type 2 certification of CockroachDB Dedicated. SOC 2 Type 2 maps to a baseline level of security controls we had undertaken to safeguard customer data.
To stay up to date on CockroachDB’s commitment to security you can visit our trust center. Or you can catch up on some of the blogs we’ve published about cloud IAM roles, secure network egress, or how to SSO to CockroachDB using JWT.
When working with an OLTP database, customers’ data protection concerns manifest in different ways. Whether it is about …Read more
Secure authentication is a fundamental requirement when evaluating a database product. Architecture and Security teams …Read more
As part of zero-trust focus, InfoSec and Risk teams pay extra attention to data exfiltration threat vectors, including …Read more