Deprecate PCI DSS for Logs and APM (#30919)

estherk15 · jinatdatadog · drichards-87 · web-flow · commit c9e4be18d375 · 2025-08-08T15:13:14.000-04:00
* Deprecate PCI DSS docs

* Remove references to PCI

* Re-add PCI Compliance docs with updated links

* Update content/en/data_security/pci_compliance.md

Co-authored-by: Esther Kim &lt;esther.kim@datadoghq.com&gt;

* Update content/en/data_security/pci_compliance.md

* Readd the further reading links

* Remove PCI config shortcodes

* Apply suggestions from code review

Co-authored-by: DeForest Richards &lt;56796055+drichards-87@users.noreply.github.com&gt;

* Restore shortcode to fix build issue

---------

Co-authored-by: jinatdatadog &lt;97474042+jinatdatadog@users.noreply.github.com&gt;
Co-authored-by: DeForest Richards &lt;56796055+drichards-87@users.noreply.github.com&gt;
diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
@@ -5752,13 +5752,6 @@ menu:
       url: logs/log_configuration/forwarding_custom_destinations/
       parent: log_configuration
       weight: 211
-    - name: PCI Compliance
-      identifier: log_pci_compliance
-      url: data_security/pci_compliance/
-      parent: log_management
-      weight: 3
-      params:
-        skip: true
     - name: Log Explorer
       url: logs/explorer/
       parent: log_management
diff --git a/content/en/account_management/audit_trail/_index.md b/content/en/account_management/audit_trail/_index.md
@@ -11,7 +11,7 @@ further_reading:
   text: "Learn about organization settings"
 - link: "/data_security/pci_compliance/"
   tag: "Documentation"
-  text: "Set up a PCI-compliant Datadog organization"
+  text: "PCI DSS Compliance"
 - link: "https://www.datadoghq.com/blog/compliance-governance-transparency-with-datadog-audit-trail/"
   tag: "Blog"
   text: "Build compliance, governance, and transparency across your teams with Datadog Audit Trail"
@@ -44,7 +44,7 @@ For security admins or InfoSec teams, audit trail events help with compliance ch
 
 You can also analyze Audit Trail events with [Cloud SIEM][15] to detect threats and generate security signals. See [Getting Started with Cloud SIEM][16] for more information.
 
-**Note**: See [PCI DSS Compliance][2] for information on setting up a PCI-compliant Datadog organization.
+**Note**: Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][2].
 
 ## Setup
 
diff --git a/content/en/data_security/logs.md b/content/en/data_security/logs.md
@@ -8,17 +8,16 @@ further_reading:
   text: "Review the main categories of data submitted to Datadog"
 - link: "/data_security/pci_compliance/"
   tag: "Documentation"
-  text: "Set up a PCI-compliant Datadog organization"
-- link: "https://www.datadoghq.com/blog/datadog-pci-compliance-log-management-apm/"
-  tag: "Blog"
-  text: "Announcing PCI-Compliant Log Management and APM from Datadog"
+  text: "PCI DSS Compliance"
 ---
 
 <div class="alert alert-info">This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the <a href="/security/" target="_blank">Security</a> section.</div>
 
 The Log Management product supports multiple [environments and formats][1], allowing you to submit to Datadog nearly any data you choose. This article describes the main security guarantees and filtering controls available to you when submitting logs to Datadog.
 
-**Note**: Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product.
+**Notes**:
+- Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product.
+- Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][10].
 
 ## Information security
 
@@ -42,31 +41,6 @@ Sensitive Data Scanner is also available as a [processor][8] in [Observability P
 
 {{% hipaa-customers %}}
 
-## PCI DSS compliance for Log Management
-
-{{< site-region region="us" >}}
-
-<div class="alert alert-warning">
-PCI DSS compliance for Log Management is only available for Datadog organizations in the <a href="/getting_started/site/">US1 site</a>.
-</div>
-
-Datadog allows customers to send logs to PCI DSS compliant Datadog organizations upon request. To set up a PCI-compliant Datadog org, follow these steps:
-
-{{% pci-logs %}}
-
-See [PCI DSS Compliance][1] for more information. To enable PCI compliance for APM, see [PCI DSS compliance for APM][1].
-
-[1]: /data_security/pci_compliance/
-[2]: /data_security/pci_compliance/?tab=apm
-
-{{< /site-region >}}
-
-{{< site-region region="us3,us5,eu,gov,ap1,ap2" >}}
-
-PCI DSS compliance for Log Management is not available for the {{< region-param key="dd_site_name" >}} site.
-
-{{< /site-region >}}
-
 ## Endpoint encryption
 
 All log submission endpoints are encrypted. These legacy endpoints are still supported:
@@ -88,4 +62,5 @@ All log submission endpoints are encrypted. These legacy endpoints are still sup
 [6]: https://www.datadoghq.com/legal/hipaa-eligible-services/
 [7]: /security/sensitive_data_scanner/
 [8]: /observability_pipelines/processors/sensitive_data_scanner
-[9]: /observability_pipelines/
+[9]: /observability_pipelines/
+[10]: /data_security/pci_compliance/
diff --git a/content/en/data_security/pci_compliance.md b/content/en/data_security/pci_compliance.md
@@ -1,68 +1,34 @@
 ---
 title: PCI DSS Compliance
-disable_toc: false
 further_reading:
-- link: "https://www.datadoghq.com/blog/datadog-pci-compliance-log-management-apm/"
-  tag: "Blog"
-  text: "Announcing PCI-Compliant Log Management and APM from Datadog"
-- link: "coterm"
-  tag: "Documentation"
-  text: "CoTerm: Monitor terminal sessions and sensitive activities on local and remote systems"
+- link: "https://trust.datadoghq.com/"
+  tag: "Datadog Trust Center"
+  text: "Learn about Datadog's security posture and review security documentation"
 ---
 
-{{% site-region region="us3,us5,eu,ap1,gov,ap2" %}}
-<div class="alert alert-warning">
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the <a href="/getting_started/site/">US1 site</a>.
-</div>
-{{% /site-region %}}
-
-{{% site-region region="us" %}}
-<div class="alert alert-warning">
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the <a href="/getting_started/site/">US1 site</a>.
-</div>
-
 ## Overview
 
-The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations have had to separate out PCI-regulated data and non-regulated data to different applications for monitoring.
-
-Datadog offers PCI-compliant Log Management and Application Performance Monitoring (APM) within the [US1 site][1] so that you can collect all of your logs, whether they are PCI-regulated or not, in one place. See [Set up a PCI-compliant Datadog organization](#set-up-a-pci-compliant-datadog-organization) on how to get started.
-
-## Set up a PCI-compliant Datadog organization
-
-{{< tabs >}}
-
-{{% tab "Log Management" %}}
-
-{{% pci-logs %}}
-
-{{% /tab %}}
-
-{{% tab "APM" %}}
-
-{{% pci-apm %}}
-
-{{% /tab %}}
-
-{{< /tabs >}}
-
-[1]: /getting_started/site/
-
-{{% /site-region %}}
-
-## View your PCI Compliance status
-
-See the [Configuration Page][2] inside Safety Center. 
+The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations often separate PCI-regulated data (such as cardholder data) and non-regulated data into different applications for monitoring and compliance purposes.
 
-Example of a fully onboarded customer:
+**Datadog's tools and policies comply with PCI v4.0**. To understand the full scope of Datadog's environment and how it relates to customer responsibilities under the relevant PCI-DSS controls, download the Customer Responsibility Matrix and the Attestation of Compliance (AoC) from the [Datadog Trust Center][1].
 
-{{< img src="/data_security/pci_compliant.png" alt="View of PCI compliance in the Configuration Page" style="width:75%;" >}}
+Datadog's Attestation of Compliance (AoC) reflects the tools and policies we have in place to maintain a Connected PCI environment as a service provider. The Datadog platform supports connections to cardholder data environments (CDE) as a Connected PCI environment, but does not serve as a CDE itself for storing, processing, or transmitting cardholder data (CHD).
+It is your responsibility to prevent any CHD from entering the Datadog platform. 
 
-Example of an onboarding customer:
+## Recommended tools for PCI compliance
 
-{{< img src="/data_security/pci_onboarding.png" alt="View of PCI onboarding in the Configuration Page" style="width:75%;" >}}
+To help maintain PCI compliance, **Datadog strongly recommends** the use of the following tools and process:
+- [**Sensitive Data Scanner**][2]: discover, classify, and redact sensitive cardholder data
+- [**Audit Trail**][3]: search and analyze detailed audit events for up to 90 days for long-term retention and archiving
+- [**File Integrity Monitoring**][4]: watch for changes to key files and directories
+- [**Cloud Security Management**][5]: track conformance to requirements of industry benchmarks and other controls
 
 ## Further Reading
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[2]: https://app.datadoghq.com/organization-settings/safety-center/configuration
+[1]: https://trust.datadoghq.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click
+[2]: /security/sensitive_data_scanner/
+[3]: /account_management/audit_trail/
+[4]: /security/workload_protection/
+[5]: /security/cloud_security_management/#track-your-organizations-health
diff --git a/content/en/logs/_index.md b/content/en/logs/_index.md
@@ -65,8 +65,6 @@ Datadog Log Management, also referred to as Datadog logs or logging, removes the
 
 Logging without Limits\* enables a streamlined troubleshooting experience in the [Log Explorer][1], which empowers you and your teams to quickly assess and fix your infrastructure issues. It provides intuitive archiving to support your security and IT teams during audits and assessments. Logging without Limits* also powers [Datadog Cloud SIEM][2], which detects security threats in your environment, without requiring you to index logs.
 
-**Note**: See [PCI DSS Compliance][3] for information on setting up a PCI-compliant Datadog organization.
-
 {{< vimeo url="https://player.vimeo.com/progressive_redirect/playback/293195142/rendition/1080p/file.mp4?loc=external&signature=8a45230b500688315ef9c8991ce462f20ed1660f3edff3d2904832e681bd6000" poster="/images/poster/logs.png" >}}
 
 </br>
@@ -117,7 +115,6 @@ Start exploring your ingested logs in the [Log Explorer][1].
 
 [1]: /logs/explorer/
 [2]: /security/cloud_siem/
-[3]: /data_security/pci_compliance/
 [4]: /logs/log_collection/
 [5]: /logs/log_configuration/
 [6]: /tracing/other_telemetry/connect_logs_and_traces/
diff --git a/content/en/logs/guide/azure-logging-guide.md b/content/en/logs/guide/azure-logging-guide.md
@@ -136,21 +136,6 @@ See [Getting started with Azure Functions][307] for more information.
 {{% /tab %}}
 {{< /tabs >}}
 
-## Advanced configuration
-Refer to the following topics to configure your installation according to your monitoring needs.
-
-### PCI compliance
-
-<div class="alert alert-warning">
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the <a href="/getting_started/site/">US1 site</a>.
-</div>
-
-To set up PCI-compliant Log Management, you must meet the requirements outlined in [PCI DSS Compliance][6]. Send your logs to the dedicated PCI compliant endpoint:
-
-Under **Settings > Environment variables**, click **Add** to set the following environment variable:
-- Name: `DD_URL`
-- Value: `http-intake-pci.logs.datadoghq.com`
-
 ## Log Archiving
 
 Archiving logs to Azure Blob Storage requires an App Registration even if you are using the Azure Native integration. To archive logs to Azure Blob Storage, follow the [automatic][7] or [manual][8] setup instructions to configure the integration using an App Registration. App Registrations created for archiving purposes do not need the `Monitoring Reader` role assigned.
@@ -168,7 +153,6 @@ After configuring an App Registration, you can [create a log archive][3] that wr
 [3]: /logs/log_configuration/archives/?tab=azurestorage#configure-an-archive
 [4]: /logs/guide/azure-native-logging-guide/
 [5]: https://learn.microsoft.com/en-us/azure/partner-solutions/datadog/overview
-[6]: /data_security/pci_compliance/?tab=logmanagement
 [7]: /integrations/guide/azure-programmatic-management/#datadog-azure-integration
 [8]: /integrations/guide/azure-manual-setup/#setup
 [9]: /logs/guide/azure-automated-log-forwarding/
diff --git a/content/en/logs/log_collection/_index.md b/content/en/logs/log_collection/_index.md
@@ -142,7 +142,6 @@ Use the [site][13] selector dropdown on the right side of the page to see suppor
 | Site | Type        | Endpoint                                                                  | Port         | Description                                                                                                                                                                 |
 |------|-------------|---------------------------------------------------------------------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | US   | HTTPS       | `http-intake.logs.datadoghq.com`                                          | 443   | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the [Logs HTTP API documentation][1].                                                    |
-| US   | HTTPS       | `agent-http-intake-pci.logs.datadoghq.com`                                | 443   | Used by the Agent to send logs over HTTPS to an org with PCI DSS compliance enabled. See [PCI DSS compliance for Log Management][3] for more information.                 |
 | US   | HTTPS       | `agent-http-intake.logs.datadoghq.com`                                    | 443   | Used by the Agent to send logs in JSON format over HTTPS. See the [Host Agent Log collection documentation][2].                                                             |
 | US   | HTTPS       | `lambda-http-intake.logs.datadoghq.com`                                   | 443   | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS.                                                                                            |
 | US   | HTTPS       | `logs.`{{< region-param key="browser_sdk_endpoint_domain" code="true" >}} | 443   | Used by the Browser SDK to send logs in JSON format over HTTPS.                                                                                                             |
@@ -154,7 +153,6 @@ Use the [site][13] selector dropdown on the right side of the page to see suppor
 
 [1]: /api/latest/logs/#send-logs
 [2]: /agent/logs/#send-logs-over-https
-[3]: /data_security/logs/#pci-dss-compliance-for-log-management
 {{< /site-region >}}
 
 {{< site-region region="eu" >}}
diff --git a/content/en/logs/log_collection/javascript.md b/content/en/logs/log_collection/javascript.md
@@ -407,7 +407,6 @@ The following parameters are available to configure the Datadog browser logs SDK
 | `trackingConsent`          | `"granted"` or `"not-granted"`                                            | No       | `"granted"`     | Set the initial user tracking consent state. See [User Tracking Consent][15].                                                                                                         |
 | `silentMultipleInit`       | Boolean                                                                   | No       |                 | Prevent logging errors while having multiple init.                                                                                                                                    |
 | `proxy`                    | String                                                                    | No       |                 | Optional proxy URL (ex: `https://www.proxy.com/path`), see the full [proxy setup guide][6] for more information.                                                                      |
-| `usePciIntake`             | Boolean                                                                   | No       | `false`         | Use PCI-compliant intake. See [PCI DSS Compliance][20] for more information.                                                                                                          |
 | `telemetrySampleRate`      | Number                                                                    | No       | `20`            | Telemetry data (error, debug logs) about SDK execution is sent to Datadog in order to detect and solve potential issues. Set this option to `0` to opt out from telemetry collection. |
 | `storeContextsAcrossPages` | Boolean                                                                   | No       |                 | Store global context and user context in `localStorage` to preserve them along the user navigation. See [Contexts life cycle][11] for more details and specific limitations.          |
 | `allowUntrustedEvents`     | Boolean                                                                   | No       |                 | Allow capture of [untrusted events][13], for example in automated UI tests.                                                                                                           |
@@ -424,7 +423,6 @@ Options that must have a matching configuration when using the `RUM` SDK:
 | `trackSessionAcrossSubdomains`         | Boolean                         | No       | `false`    | Preserve the session across subdomains for the same site.                                                                                                                                                                                                                |
 | `useSecureSessionCookie`               | Boolean                         | No       | `false`    | Use a secure session cookie. This disables logs sent on insecure (non-HTTPS) connections.                                                                                                                                                                                |
 | `usePartitionedCrossSiteSessionCookie` | Boolean                         | No       | `false`    | Use a partitioned secure cross-site session cookie. This allows the logs SDK to run when the site is loaded from another one (iframe). Implies `useSecureSessionCookie`.                                                                                                 |
-| `usePciIntake`                         | Boolean                         | No       | `false`    | To forward logs to the [PCI-compliant intake][16], set to `true`. The PCI-compliant intake is only available for Datadog organizations in the US1 site. If `usePciIntake` is set to `true` and the site is not US1 (datadoghq.com), logs are sent to the default intake. |
 
 ## Usage
 
@@ -1410,8 +1408,6 @@ window.DD_LOGS && window.DD_LOGS.getInternalContext() // { session_id: "xxxx-xxx
 [13]: https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted
 [14]: /integrations/content_security_policy_logs/#use-csp-with-real-user-monitoring-and-session-replay
 [15]: #user-tracking-consent
-[16]: https://docs.datadoghq.com/data_security/logs/#pci-dss-compliance-for-log-management
 [17]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#micro-frontend
 [18]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#enrich-and-control-rum-data
 [19]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#discard-a-rum-event
-[20]: /data_security/pci_compliance/?tab=logmanagement
diff --git a/content/en/logs/log_configuration/_index.md b/content/en/logs/log_configuration/_index.md
@@ -6,7 +6,7 @@ aliases:
 further_reading:
 - link: "/data_security/pci_compliance/"
   tag: "Documentation"
-  text: "Set up a PCI-compliant Datadog organization"
+  text: "PCI DSS Compliance"
 - link: "https://www.datadoghq.com/blog/logging-without-limits/"
   tag: "Blog"
   text: Learn more about Logging without Limits*
@@ -25,8 +25,6 @@ further_reading:
 
 Datadog Logging without Limits* decouples log ingestion and indexing. Choose which logs to index and retain, or archive, and manage settings and controls at a top-level from the log configuration page at [**Logs > Pipelines**][1].
 
-**Note**: See [PCI DSS Compliance][2] for information on setting up a PCI-compliant Datadog organization.
-
 ## Configuration options
 
 - Control how your logs are processed with [pipelines][3] and [processors][4].
diff --git a/content/en/observability_pipelines/destinations/datadog_logs.md b/content/en/observability_pipelines/destinations/datadog_logs.md
@@ -34,9 +34,7 @@ To send logs from Observability Pipelines to Datadog using AWS PrivateLink, see
 - Logs (User HTTP intake): `http-intake.logs.datadoghq.com`
 - Remote Configuration: `config.datadoghq.com`
 
-**Notes**:
-- If you are a PCI-compliant organization, the Worker sends logs over `http-intake-pci.logs.datadoghq.com`, which is not available as an AWS PrivateLink endpoint.
-- The `obpipeline-intake.datadoghq.com` endpoint is used for Live Capture and is not available as a PrivateLink endpoint.
+**Note**: The `obpipeline-intake.datadoghq.com` endpoint is used for Live Capture and is not available as a PrivateLink endpoint.
 
 [1]: https://app.datadoghq.com/observability-pipelines
 [2]: /observability_pipelines/destinations/#event-batching
diff --git a/content/en/security/sensitive_data_scanner/_index.md b/content/en/security/sensitive_data_scanner/_index.md
diff --git a/content/en/tracing/configure_data_security/_index.md b/content/en/tracing/configure_data_security/_index.md
