CockroachDB Dedicated has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. This certification extends the existing SOC 2 Type 2 certification of CockroachDB Dedicated, which provides a baseline level of security controls to safeguard customer data.
This page provides information about CockroachDB Dedicated's compliance with PCI DSS, describes some of the ways that CockroachDB Cloud implements and enforces compliance, and illustrates some of the types of changes you may need to implement outside of your CockroachDB Dedicated clusters.
During limited access, PCI DSS is not supported for CockroachDB Dedicated clusters on Azure. Refer to CockroachDB Dedicated on Azure.
Overview of PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of requirements for the safe handling of sensitive data associated with credit and debit cards. In the PCI DSS standard, this data is referred to as "cardholder data." When implemented correctly, PCI DSS helps to protect cardholder data from fraud, exfiltration, and theft. PCI DSS is mandated by credit card issuers but administered by the Payment Card Industry Security Standards Council.
Many organizations that do not store cardholder data still rely on compliance with PCI DSS to help protect other sensitive or confidential data or metadata.
Responsibility for compliance with PCI DSS is shared among multiple parties, including card issuers, banks, software-as-a-service (SaaS) providers, and retail merchants. Compliance measures are implemented as a series of business practices, security controls, and technological solutions. An organization's compliance with PCI DSS is certified by a PCI Qualified Security Assessor (QSA).
When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's PCI DSS Quick Reference Guide, version 3.2.1, summarizes the goals and requirements of PCI DSS.
|Goal||PCI DSS Requirement|
|Build and maintain a secure network and systems.||
|Protect cardholder data.||
|Maintain a vulnerability management program.||
|Implement strong access control measures.||
|Regularly monitor and test networks.||
|Maintain an information security policy.||
CockroachDB Dedicated has implemented the requirements outlined in PCI DSS 3.2.1 within the DBaaS platform. To take advantage of that compliance, you should take the actions outlined in Responsibilities of the customer.
Responsibilities of Cockroach Labs
Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment (the platform) for CockroachDB Dedicated clusters meet or exceed the requirements of PCI DSS 3.2.1. Some of these actions include:
- Enforcing comprehensive security policies and standards.
- Providing periodic security training for all Cockroach Labs employees.
- Hardening our operating environments and networks according to industry standards and recommended practices to ensure that they are secure and resilient against vulnerabilities and attacks.
- Encrypting cluster data and metadata at rest and in transit.
- Regularly scanning our environment using tools designated by PCI as Approved Scanning Vendors (ASVs) to ensure our continued compliance with PCI DSS 3.2.1, and correcting issues as quickly as possible.
- Regularly scanning our environment and software for known security vulnerabilities and applying updates and security patches in a timely manner.
- Implementing data loss prevention (DLP) tools and techniques.
- Logging cluster actions and events, redacting sensitive information in audit logs, and retaining audit logs according to the PCI DSS logging requirements.
A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 3.2.1 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
Compliance is a shared responsibility. Be sure to read Responsibilities of the customer to ensure that your cluster is compliant with PCI DSS.
Responsibilities of the customer
To ensure that a CockroachDB Dedicated cluster complies with PCI DSS 3.2.1, you must enable and configure the following cluster settings and features:
- The CockroachDB Dedicated cluster must be created as a private cluster. A private cluster's nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing cluster cannot be migrated to be a private cluster.
- Customer-Managed Encryption Keys (CMEK) must be enabled on the cluster. CMEK protects data at rest in a CockroachDB Dedicated cluster using a cryptographic key that is entirely within your control, hosted in a supported cloud provider key-management system (KMS). It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
- Egress Perimeter Controls must be enabled. Egress Perimeter Controls ensure that cluster egress operations, such as customer-managed cluster backups or changefeeds, are restricted to a list of specified external destinations.
- Cluster log exports must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of AWS CloudWatch or GCP Cloud Logging.
- Cloud Organization audit logs automatically capture information when many types of events occur in your CockroachDB Cloud organization, such as when a cluster is created or when a member is added to or removed from an organization. You can export your CockroachDB Cloud organization's audit logs to analyze usage patterns and investigate security incidents.
- Cockroach Labs recommends enabling the following Single Sign-On (SSO) features, which helps you minimize the risk of password exposure in CockroachDB Cloud:
- Cloud Organization SSO allows members of your CockroachDB Cloud organization to authenticate to CockroachDB Cloud using an identity from an identity provider (IdP). This integration can be done using SAML or OIDC.
- Cluster SSO allows users to connect to the SQL interface of a CockroachDB cluster using a JWT (JSON Web Token). A variety of JWT issuers can be configured, including CockroachDB Cloud (for connectivity using the
ccloudCLI), GCP service accounts, Azure managed identities, and others.
Cockroach Labs cannot provide specific advice about ensuring end-to-end compliance of your overall system with PCI DSS or how to implement a specific requirement across all operating environments. The following points describe some steps that organizations might take to ensure compliance, and is not exhaustive.
- Safeguard cardholder data by a combination of encryption, hashing, masking, and truncation. For an example implementation, refer to Integrate CockroachDB Dedicated with Satori.
- Protect unencrypted cryptographic materials both at rest and in transit. Restrict access to unencrypted key materials on a need-to-know basis.
- Restrict access to tables and views that contain cardholder data on a need-to-know basis. For details on configuring user access, refer to Authorization.
- Take steps to protect networks that transmit cardholder data from malicious access over the public internet. For details on configuring network access, refer to Network Authorization.
- Regularly test all systems, applications, and dependencies that are involved in storing or processing cardholder data for known vulnerabilities.