Manage PCI DSS v4.0.1 requirements with Datadog

Gorka Vicente

In today’s digital economy, businesses that handle payment card transactions are increasingly focused on security to protect customer data and maintain trust. Cyber threats that target payment information continue to evolve, making it essential for organizations to implement strong security controls.

The Payment Card Industry Data Security Standard (PCI DSS) was created to establish a set of best practices for securing cardholder data. For small businesses and large enterprises alike, compliance with PCI DSS helps safeguard sensitive payment information, reduce the risk of breaches, and avoid potential financial or reputational damage.

However, meeting PCI DSS requirements can be complex, especially with evolving compliance standards and the shift away from specific security tools toward outcome-based security practices. In this post, we’ll explain:

What PCI DSS compliance entails
Why PCI DSS compliance matters
Key changes in PCI DSS v4.0.1
How Datadog helps organizations strengthen security and achieve PCI DSS compliance

By understanding these elements, businesses can better navigate the compliance landscape and implement security measures that not only help meet PCI DSS requirements but also improve overall cybersecurity resilience.

Basics of PCI DSS compliance

PCI DSS requirements are security standards that help to protect payment card data from theft and fraud. These standards apply to organizations that process, store, or transmit cardholder information.

The framework is designed to help ensure that businesses implement strong security controls, including encryption, access restrictions, and continuous vulnerability management. Organizations may also have to undergo an annual audit or follow alternative validation processes.

To help simplify adherence to PCI DSS, companies can use security solutions that automate vulnerability detection, provide real-time threat monitoring, and enhance defenses. By integrating these measures, these companies can strengthen their overall cybersecurity posture.

Why PCI DSS compliance matters

PCI DSS compliance is a critical requirement for organizations that store, process, or transmit payment card data electronically. Businesses that facilitate payments for major card brands—including Visa, Mastercard, Discover, American Express, and JCB—must adhere to PCI DSS to increase the security of transactions and protect cardholder data.

Achieving and maintaining PCI DSS compliance can be more straightforward than many organizations assume. However, failing to comply can result in significant financial consequences. Financial penalties for noncompliance are determined by each payment card brand and can depend on the severity and duration of the noncompliance. Compliance not only helps mitigate these financial risks but also strengthens overall cybersecurity and customer trust.

Key changes in PCI DSS v4.0.1

PCI DSS v4.0.1 introduces minor modifications compared with v4.0, primarily addressing updates or clarifications that simplify understanding of the current requirements. Both versions, however, mark a significant departure from earlier iterations of PCI DSS, especially in the realm of application security (AppSec). In previous standards, organizations often needed specific tools and technologies to achieve compliance, but that requirement is evolving.

For example, in an earlier version of PCI DSS, Requirement 6.6 mandated the use of a dynamic application security testing (DAST) solution to identify and mitigate vulnerabilities in web applications. This explicit requirement has since been retired, and the latest version no longer prescribes any specific technology.

Instead, the updated PCI DSS requirements include the following for development and testing of secure systems and software:

6.2: Bespoke and custom software are developed securely.
6.3: Security vulnerabilities are identified and addressed.
6.4: Public-facing web applications are protected against attacks.
6.5: Changes to all system components are managed securely.
11.3: External and internal vulnerabilities are regularly identified, prioritized, and addressed.
11.4: External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

This change of prioritizing overall security posture rather than specific tools is critical. Some organizations may still operate under the misconception that compliance depends on deploying technologies like web application firewalls (WAFs) or static application security testing (SAST) scanners. In fact, relying solely on legacy solutions can make it harder to meet the latest PCI DSS standards. Although past regulations followed a rigid, checklist-driven approach, today’s compliance landscape is centered on adaptable security practices and measurable results.

How Datadog can help achieve PCI DSS compliance

Meeting PCI DSS compliance requirements can be challenging, but Datadog provides solutions that help organizations improve security and meet their obligations. By automating vulnerability detection, enhancing threat management, and enabling continuous monitoring, Datadog supports organizations in maintaining a strong security posture. The following solutions can help achieve PCI DSS compliance:

Datadog Code Security helps identify vulnerabilities early in the development process and provides clear remediation guidance, making it easier to build secure applications.
Datadog Application Security Management (ASM) Threat Management improves application protection by detecting and mitigating threats more effectively than traditional security methods.

With a suite of security capabilities, Datadog helps businesses align with PCI DSS requirements across applications, APIs, and open source libraries. By bringing security insights into a single platform, organizations can make informed decisions, detect threats, and manage compliance more efficiently.

Datadog security platform applicability to PCI DSS

The following table details Datadog compliance capabilities that are applicable to PCI DSS v4.0.1.

PCI DSS v4.0.1 requirement	Datadog compliance capabilities
6.2.3: Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows: Code reviews ensure code is developed according to secure coding guidelines. Code reviews look for both existing and emerging software vulnerabilities. Appropriate corrections are implemented prior to release.	Datadog Code Security identifies vulnerabilities early in the software development life cycle (development and CI/CD) before teams deploy applications to production. This vulnerability identification is achieved through Datadog’s scanning capabilities, which analyze the source code in repositories to detect vulnerabilities in first-party code and third-party open source libraries. The methodologies are static application security testing (SAST) for first-party code and software composition analysis (SCA) for third-party dependencies. For each identified vulnerability, Datadog provides one or more remediation suggestions, enabling development and DevOps teams to address issues efficiently and effectively.
6.2.3.1: If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are: Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices. Reviewed and approved by management prior to release.	For every vulnerability that is detected in source code repositories, Datadog Code Security offers pull request (PR) comments with suggested remediations. These comments can be reviewed by someone other than the original author of the vulnerable code, reducing the risk of security flaws being deployed into production environments.
6.2.4: Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data. Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation. Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF). Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms. Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.	Datadog Code Security assesses custom code, open source libraries, and how they are used within applications to identify vulnerabilities in a runtime context. This approach allows for the detection of significantly more vulnerabilities than the vulnerabilities that are explicitly listed in Requirement 6.2.4. Datadog's detection rules include the following: SAST rules IAST rules Attack rules
6.3.1: Security vulnerabilities are identified and managed as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact. Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment. Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.	Datadog solutions integrate with procedural methods that are used to identify vulnerabilities in software. Datadog Code Security and Datadog ASM Threat Management provide risk rankings based on severity, taking into account both the source information and the exposure level of each vulnerability within the application. Datadog incorporates outside reputable sources for security vulnerability information to expand the knowledge base of vulnerabilities and coding weaknesses that can result in successful exploitation by an attacker. Additionally, Datadog hosts its private Bug Bounty Program with HackerOne to benefit from expertise from the wider security community.
6.3.2: An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.	Datadog Code Security provides an inventory of repositories, services, and third-party components (open source libraries), displaying the vulnerabilities that are associated with each.
6.4.1: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: At least once every 12 months and after significant changes. By an entity that specializes in application security. Including, at a minimum, all common software attacks in Requirement 6.2.4. All vulnerabilities are ranked in accordance with Requirement 6.3.1. All vulnerabilities are corrected. The application is re-evaluated after the corrections. OR Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: Installed in front of public-facing web applications to detect and prevent web-based attacks. Actively running and up to date as applicable. Generating audit logs. Configured to either block web-based attacks or generate an alert that is immediately investigated.	Datadog Code Security and Datadog ASM Threat Management enable continuous security assessment and protection for applications. When applications are integrated with the Datadog Tracing Library, they can self-assess and self-protect in real time: Datadog Code Security ensures automated security assessment by continuously analyzing applications for vulnerabilities. Each time a change is made, Datadog Code Security scans the application or API in development and QA environments, providing immediate feedback to developers. Datadog ASM Threat Management offers automated technical protection by detecting and preventing known attacks and zero-day attacks. As an in-app web application firewall (WAF) and runtime application self-protection (RASP) solution, Datadog ASM Threat Management helps prevent vulnerability exploitation by offering automatic protection against most zero-day threats. In addition, Datadog Security Labs offers instant guidance and quick product updates that can be scaled to the entire application portfolio.
6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. Actively running and up to date as applicable. Generating audit logs. Configured to either block web-based attacks or generate an alert that is immediately investigated.	Datadog ASM Threat Management continuously detects and mitigates known attacks, helping to meet compliance obligations with automated technical protection. When applications are integrated with the Datadog Tracing Library, they remain self-protecting at all times. For each detected attack, an audit log is generated. Datadog ASM Threat Management can operate in: Monitoring Mode: Generates alerts for detected attacks without blocking them. Blocking Mode: Blocks detected attacks while also generating alerts and audit logs.

PCI DSS v4.0.1 requirement

Datadog compliance capabilities

6.2.3: Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows:

Code reviews ensure code is developed according to secure coding guidelines.
Code reviews look for both existing and emerging software vulnerabilities.
Appropriate corrections are implemented prior to release.

Datadog Code Security identifies vulnerabilities early in the software development life cycle (development and CI/CD) before teams deploy applications to production. This vulnerability identification is achieved through Datadog’s scanning capabilities, which analyze the source code in repositories to detect vulnerabilities in first-party code and third-party open source libraries. The methodologies are static application security testing (SAST) for first-party code and software composition analysis (SCA) for third-party dependencies. For each identified vulnerability, Datadog provides one or more remediation suggestions, enabling development and DevOps teams to address issues efficiently and effectively.

6.2.3.1: If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are:

Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices.
Reviewed and approved by management prior to release.

For every vulnerability that is detected in source code repositories, Datadog Code Security offers pull request (PR) comments with suggested remediations. These comments can be reviewed by someone other than the original author of the vulnerable code, reducing the risk of security flaws being deployed into production environments.

6.2.4: Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following:

Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).
Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.

Datadog Code Security assesses custom code, open source libraries, and how they are used within applications to identify vulnerabilities in a runtime context. This approach allows for the detection of significantly more vulnerabilities than the vulnerabilities that are explicitly listed in Requirement 6.2.4.

Datadog's detection rules include the following:

6.3.1: Security vulnerabilities are identified and managed as follows:

New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.

Datadog solutions integrate with procedural methods that are used to identify vulnerabilities in software. Datadog Code Security and Datadog ASM Threat Management provide risk rankings based on severity, taking into account both the source information and the exposure level of each vulnerability within the application.

Datadog incorporates outside reputable sources for security vulnerability information to expand the knowledge base of vulnerabilities and coding weaknesses that can result in successful exploitation by an attacker. Additionally, Datadog hosts its private Bug Bounty Program with HackerOne to benefit from expertise from the wider security community.

6.3.2: An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.

Datadog Code Security provides an inventory of repositories, services, and third-party components (open source libraries), displaying the vulnerabilities that are associated with each.

6.4.1: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:

At least once every 12 months and after significant changes.
By an entity that specializes in application security.
Including, at a minimum, all common software attacks in Requirement 6.2.4.
All vulnerabilities are ranked in accordance with Requirement 6.3.1.
All vulnerabilities are corrected.
The application is re-evaluated after the corrections.

Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:

Installed in front of public-facing web applications to detect and prevent web-based attacks.
Actively running and up to date as applicable.
Generating audit logs.
Configured to either block web-based attacks or generate an alert that is immediately investigated.

Datadog Code Security and Datadog ASM Threat Management enable continuous security assessment and protection for applications. When applications are integrated with the Datadog Tracing Library, they can self-assess and self-protect in real time:

Datadog Code Security ensures automated security assessment by continuously analyzing applications for vulnerabilities. Each time a change is made, Datadog Code Security scans the application or API in development and QA environments, providing immediate feedback to developers.
Datadog ASM Threat Management offers automated technical protection by detecting and preventing known attacks and zero-day attacks. As an in-app web application firewall (WAF) and runtime application self-protection (RASP) solution, Datadog ASM Threat Management helps prevent vulnerability exploitation by offering automatic protection against most zero-day threats.

In addition, Datadog Security Labs offers instant guidance and quick product updates that can be scaled to the entire application portfolio.

6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:

Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
Actively running and up to date as applicable.
Generating audit logs.
Configured to either block web-based attacks or generate an alert that is immediately investigated.

Datadog ASM Threat Management continuously detects and mitigates known attacks, helping to meet compliance obligations with automated technical protection. When applications are integrated with the Datadog Tracing Library, they remain self-protecting at all times. For each detected attack, an audit log is generated. Datadog ASM Threat Management can operate in:

Monitoring Mode: Generates alerts for detected attacks without blocking them.
Blocking Mode: Blocks detected attacks while also generating alerts and audit logs.

Strengthen security while achieving PCI DSS compliance

PCI DSS compliance is important for organizations that process, store, or transmit payment card data. Failure to meet PCI DSS requirements can result in significant financial consequences, security breaches, and loss of customer trust. With the latest updates in PCI DSS v4.0.1, the focus has shifted to achieving strong security outcomes rather than relying on specific tools.

By integrating Datadog’s security solutions, organizations can improve their compliance efforts while enhancing their overall security posture. Datadog Code Security helps teams identify and remediate vulnerabilities early in the development life cycle, and Datadog ASM Threat Management provides continuous monitoring and proactive threat detection to protect applications in real time.

Maintaining PCI DSS compliance doesn’t have to be complex. With the right security practices and monitoring in place, businesses can meet requirements, reduce risks, and build a more resilient security infrastructure. Get started with Datadog today. If you don't already have a Datadog account, you can sign up for a free trial.

Manage PCI DSS v4.0.1 requirements with Datadog

Basics of PCI DSS compliance

Why PCI DSS compliance matters

Key changes in PCI DSS v4.0.1

How Datadog can help achieve PCI DSS compliance

Datadog security platform applicability to PCI DSS

Strengthen security while achieving PCI DSS compliance

Related Articles

How Datadog can support your DORA compliance strategy and operational resilience

Datadog Security extends compliance and threat protection capabilities for Google Cloud

Key learnings from the 2025 State of DevSecOps study

How to strengthen compliance across the software development life cycle by shifting left

Start monitoring your metrics in minutes

Get Started with Datadog

Basics of PCI DSS compliance

Why PCI DSS compliance matters

Key changes in PCI DSS v4.0.1

How Datadog can help achieve PCI DSS compliance

Datadog security platform applicability to PCI DSS

Strengthen security while achieving PCI DSS compliance

Related Articles

How Datadog can support your DORA compliance strategy and operational resilience

Datadog Security extends compliance and threat protection capabilities for Google Cloud

Key learnings from the 2025 State of DevSecOps study

How to strengthen compliance across the software development life cycle by shifting left

Related jobs at Datadog

We're always looking for talented people to collaborate with

Start monitoring your metrics in minutes