In today’s digital economy, businesses that handle payment card transactions are increasingly focused on security to protect customer data and maintain trust. Cyber threats that target payment information continue to evolve, making it essential for organizations to implement strong security controls.
The Payment Card Industry Data Security Standard (PCI DSS) was created to establish a set of best practices for securing cardholder data. For small businesses and large enterprises alike, compliance with PCI DSS helps safeguard sensitive payment information, reduce the risk of breaches, and avoid potential financial or reputational damage.
However, meeting PCI DSS requirements can be complex, especially with evolving compliance standards and the shift away from specific security tools toward outcome-based security practices. In this post, we’ll explain:
- What PCI DSS compliance entails
- Why PCI DSS compliance matters
- Key changes in PCI DSS v4.0.1
- How Datadog helps organizations strengthen security and achieve PCI DSS compliance
By understanding these elements, businesses can better navigate the compliance landscape and implement security measures that not only help meet PCI DSS requirements but also improve overall cybersecurity resilience.
Basics of PCI DSS compliance
PCI DSS requirements are security standards that help to protect payment card data from theft and fraud. These standards apply to organizations that process, store, or transmit cardholder information.
The framework is designed to help ensure that businesses implement strong security controls, including encryption, access restrictions, and continuous vulnerability management. Organizations may also have to undergo an annual audit or follow alternative validation processes.
To help simplify adherence to PCI DSS, companies can use security solutions that automate vulnerability detection, provide real-time threat monitoring, and enhance defenses. By integrating these measures, these companies can strengthen their overall cybersecurity posture.
Why PCI DSS compliance matters
PCI DSS compliance is a critical requirement for organizations that store, process, or transmit payment card data electronically. Businesses that facilitate payments for major card brands—including Visa, Mastercard, Discover, American Express, and JCB—must adhere to PCI DSS to increase the security of transactions and protect cardholder data.
Achieving and maintaining PCI DSS compliance can be more straightforward than many organizations assume. However, failing to comply can result in significant financial consequences. Financial penalties for noncompliance are determined by each payment card brand and can depend on the severity and duration of the noncompliance. Compliance not only helps mitigate these financial risks but also strengthens overall cybersecurity and customer trust.
Key changes in PCI DSS v4.0.1
PCI DSS v4.0.1 introduces minor modifications compared with v4.0, primarily addressing updates or clarifications that simplify understanding of the current requirements. Both versions, however, mark a significant departure from earlier iterations of PCI DSS, especially in the realm of application security (AppSec). In previous standards, organizations often needed specific tools and technologies to achieve compliance, but that requirement is evolving.
For example, in an earlier version of PCI DSS, Requirement 6.6 mandated the use of a dynamic application security testing (DAST) solution to identify and mitigate vulnerabilities in web applications. This explicit requirement has since been retired, and the latest version no longer prescribes any specific technology.
Instead, the updated PCI DSS requirements include the following for development and testing of secure systems and software:
- 6.2: Bespoke and custom software are developed securely.
- 6.3: Security vulnerabilities are identified and addressed.
- 6.4: Public-facing web applications are protected against attacks.
- 6.5: Changes to all system components are managed securely.
- 11.3: External and internal vulnerabilities are regularly identified, prioritized, and addressed.
- 11.4: External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
This change of prioritizing overall security posture rather than specific tools is critical. Some organizations may still operate under the misconception that compliance depends on deploying technologies like web application firewalls (WAFs) or static application security testing (SAST) scanners. In fact, relying solely on legacy solutions can make it harder to meet the latest PCI DSS standards. Although past regulations followed a rigid, checklist-driven approach, today’s compliance landscape is centered on adaptable security practices and measurable results.
How Datadog can help achieve PCI DSS compliance
Meeting PCI DSS compliance requirements can be challenging, but Datadog provides solutions that help organizations improve security and meet their obligations. By automating vulnerability detection, enhancing threat management, and enabling continuous monitoring, Datadog supports organizations in maintaining a strong security posture. The following solutions can help achieve PCI DSS compliance:
- Datadog Code Security helps identify vulnerabilities early in the development process and provides clear remediation guidance, making it easier to build secure applications.
- Datadog Application Security Management (ASM) Threat Management improves application protection by detecting and mitigating threats more effectively than traditional security methods.
With a suite of security capabilities, Datadog helps businesses align with PCI DSS requirements across applications, APIs, and open source libraries. By bringing security insights into a single platform, organizations can make informed decisions, detect threats, and manage compliance more efficiently.
Datadog security platform applicability to PCI DSS
The following table details Datadog compliance capabilities that are applicable to PCI DSS v4.0.1.
PCI DSS v4.0.1 requirement | Datadog compliance capabilities |
---|---|
6.2.3: Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows:
| Datadog Code Security identifies vulnerabilities early in the software development life cycle (development and CI/CD) before teams deploy applications to production. This vulnerability identification is achieved through Datadog’s scanning capabilities, which analyze the source code in repositories to detect vulnerabilities in first-party code and third-party open source libraries. The methodologies are static application security testing (SAST) for first-party code and software composition analysis (SCA) for third-party dependencies. For each identified vulnerability, Datadog provides one or more remediation suggestions, enabling development and DevOps teams to address issues efficiently and effectively. |
6.2.3.1: If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are:
| For every vulnerability that is detected in source code repositories, Datadog Code Security offers pull request (PR) comments with suggested remediations. These comments can be reviewed by someone other than the original author of the vulnerable code, reducing the risk of security flaws being deployed into production environments. |
6.2.4: Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following:
| Datadog Code Security assesses custom code, open source libraries, and how they are used within applications to identify vulnerabilities in a runtime context. This approach allows for the detection of significantly more vulnerabilities than the vulnerabilities that are explicitly listed in Requirement 6.2.4. Datadog's detection rules include the following: |
6.3.1: Security vulnerabilities are identified and managed as follows:
| Datadog solutions integrate with procedural methods that are used to identify vulnerabilities in software. Datadog Code Security and Datadog ASM Threat Management provide risk rankings based on severity, taking into account both the source information and the exposure level of each vulnerability within the application. Datadog incorporates outside reputable sources for security vulnerability information to expand the knowledge base of vulnerabilities and coding weaknesses that can result in successful exploitation by an attacker. Additionally, Datadog hosts its private Bug Bounty Program with HackerOne to benefit from expertise from the wider security community. |
6.3.2: An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management. | Datadog Code Security provides an inventory of repositories, services, and third-party components (open source libraries), displaying the vulnerabilities that are associated with each. |
6.4.1: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:
| Datadog Code Security and Datadog ASM Threat Management enable continuous security assessment and protection for applications. When applications are integrated with the Datadog Tracing Library, they can self-assess and self-protect in real time:
In addition, Datadog Security Labs offers instant guidance and quick product updates that can be scaled to the entire application portfolio. |
6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:
| Datadog ASM Threat Management continuously detects and mitigates known attacks, helping to meet compliance obligations with automated technical protection. When applications are integrated with the Datadog Tracing Library, they remain self-protecting at all times. For each detected attack, an audit log is generated. Datadog ASM Threat Management can operate in:
|
Strengthen security while achieving PCI DSS compliance
PCI DSS compliance is important for organizations that process, store, or transmit payment card data. Failure to meet PCI DSS requirements can result in significant financial consequences, security breaches, and loss of customer trust. With the latest updates in PCI DSS v4.0.1, the focus has shifted to achieving strong security outcomes rather than relying on specific tools.
By integrating Datadog’s security solutions, organizations can improve their compliance efforts while enhancing their overall security posture. Datadog Code Security helps teams identify and remediate vulnerabilities early in the development life cycle, and Datadog ASM Threat Management provides continuous monitoring and proactive threat detection to protect applications in real time.
Maintaining PCI DSS compliance doesn’t have to be complex. With the right security practices and monitoring in place, businesses can meet requirements, reduce risks, and build a more resilient security infrastructure. Get started with Datadog today. If you don’t already have a Datadog account, you can sign up for a free trial.