From 9cf778199e19e9f7b7ce8551916373e4f9e42c6d Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Tue, 5 Aug 2025 12:16:45 -0400 Subject: [PATCH 1/9] Deprecate PCI DSS docs --- config/_default/menus/main.en.yaml | 12 ---- content/en/data_security/pci_compliance.md | 68 ---------------------- 2 files changed, 80 deletions(-) delete mode 100644 content/en/data_security/pci_compliance.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index b9e42f3b7bede..7323542081542 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -5731,13 +5731,6 @@ menu: url: logs/log_configuration/forwarding_custom_destinations/ parent: log_configuration weight: 211 - - name: PCI Compliance - identifier: log_pci_compliance - url: data_security/pci_compliance/ - parent: log_management - weight: 3 - params: - skip: true - name: Log Explorer url: logs/explorer/ parent: log_management @@ -8035,11 +8028,6 @@ menu: url: data_security/real_user_monitoring/ parent: data_security weight: 6 - - name: PCI Compliance - identifier: data_security_pci_compliance - url: data_security/pci_compliance/ - parent: data_security - weight: 7 - name: HIPAA Compliance identifier: data_security_hipaa_compliance url: data_security/hipaa_compliance/ diff --git a/content/en/data_security/pci_compliance.md b/content/en/data_security/pci_compliance.md deleted file mode 100644 index 7e9da5df0cf2c..0000000000000 --- a/content/en/data_security/pci_compliance.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: PCI DSS Compliance -disable_toc: false -further_reading: -- link: "https://www.datadoghq.com/blog/datadog-pci-compliance-log-management-apm/" - tag: "Blog" - text: "Announcing PCI-Compliant Log Management and APM from Datadog" -- link: "coterm" - tag: "Documentation" - text: "CoTerm: Monitor terminal sessions and sensitive activities on local and remote systems" ---- - -{{% site-region region="us3,us5,eu,ap1,gov,ap2" %}} -
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site. -
-{{% /site-region %}} - -{{% site-region region="us" %}} -
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site. -
- -## Overview - -The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations have had to separate out PCI-regulated data and non-regulated data to different applications for monitoring. - -Datadog offers PCI-compliant Log Management and Application Performance Monitoring (APM) within the [US1 site][1] so that you can collect all of your logs, whether they are PCI-regulated or not, in one place. See [Set up a PCI-compliant Datadog organization](#set-up-a-pci-compliant-datadog-organization) on how to get started. - -## Set up a PCI-compliant Datadog organization - -{{< tabs >}} - -{{% tab "Log Management" %}} - -{{% pci-logs %}} - -{{% /tab %}} - -{{% tab "APM" %}} - -{{% pci-apm %}} - -{{% /tab %}} - -{{< /tabs >}} - -[1]: /getting_started/site/ - -{{% /site-region %}} - -## View your PCI Compliance status - -See the [Configuration Page][2] inside Safety Center. - -Example of a fully onboarded customer: - -{{< img src="/data_security/pci_compliant.png" alt="View of PCI compliance in the Configuration Page" style="width:75%;" >}} - -Example of an onboarding customer: - -{{< img src="/data_security/pci_onboarding.png" alt="View of PCI onboarding in the Configuration Page" style="width:75%;" >}} - -## Further Reading - -{{< partial name="whats-next/whats-next.html" >}} - -[2]: https://app.datadoghq.com/organization-settings/safety-center/configuration From 205b41ac6c7eead9dd51f9ab0d31fa05873f5eb9 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Tue, 5 Aug 2025 12:29:48 -0400 Subject: [PATCH 2/9] Remove references to PCI --- .../account_management/audit_trail/_index.md | 6 ---- content/en/data_security/logs.md | 31 ------------------- content/en/logs/_index.md | 3 -- content/en/logs/guide/azure-logging-guide.md | 16 ---------- content/en/logs/log_collection/_index.md | 2 -- content/en/logs/log_collection/javascript.md | 4 --- content/en/logs/log_configuration/_index.md | 6 ---- .../security/sensitive_data_scanner/_index.md | 3 -- .../tracing/configure_data_security/_index.md | 4 --- 9 files changed, 75 deletions(-) diff --git a/content/en/account_management/audit_trail/_index.md b/content/en/account_management/audit_trail/_index.md index db915424a65f7..94073a615b672 100644 --- a/content/en/account_management/audit_trail/_index.md +++ b/content/en/account_management/audit_trail/_index.md @@ -9,9 +9,6 @@ further_reading: - link: "/account_management/org_settings/" tag: "Documentation" text: "Learn about organization settings" -- link: "/data_security/pci_compliance/" - tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" - link: "https://www.datadoghq.com/blog/compliance-governance-transparency-with-datadog-audit-trail/" tag: "Blog" text: "Build compliance, governance, and transparency across your teams with Datadog Audit Trail" @@ -44,8 +41,6 @@ For security admins or InfoSec teams, audit trail events help with compliance ch You can also analyze Audit Trail events with [Cloud SIEM][15] to detect threats and generate security signals. See [Getting Started with Cloud SIEM][16] for more information. -**Note**: See [PCI DSS Compliance][2] for information on setting up a PCI-compliant Datadog organization. - ## Setup To enable Datadog Audit Trail, navigate to your [Organization Settings][3] and select *Audit Trail Settings* under *COMPLIANCE*. Click the **Enable** button. @@ -228,7 +223,6 @@ Datadog Audit Trail comes with an [out-of-the-box dashboard][13] that shows vari {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/audit-trail -[2]: /data_security/pci_compliance/ [3]: https://app.datadoghq.com/organization-settings/ [4]: https://app.datadoghq.com/event/explorer [5]: /logs/explorer/ diff --git a/content/en/data_security/logs.md b/content/en/data_security/logs.md index a56ae433533e1..b480ff4ada63c 100644 --- a/content/en/data_security/logs.md +++ b/content/en/data_security/logs.md @@ -6,12 +6,6 @@ further_reading: - link: "/data_security/" tag: "Documentation" text: "Review the main categories of data submitted to Datadog" -- link: "/data_security/pci_compliance/" - tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" -- link: "https://www.datadoghq.com/blog/datadog-pci-compliance-log-management-apm/" - tag: "Blog" - text: "Announcing PCI-Compliant Log Management and APM from Datadog" ---
This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the Security section.
@@ -42,31 +36,6 @@ Sensitive Data Scanner is also available as a [processor][8] in [Observability P {{% hipaa-customers %}} -## PCI DSS compliance for Log Management - -{{< site-region region="us" >}} - -
-PCI DSS compliance for Log Management is only available for Datadog organizations in the US1 site. -
- -Datadog allows customers to send logs to PCI DSS compliant Datadog organizations upon request. To set up a PCI-compliant Datadog org, follow these steps: - -{{% pci-logs %}} - -See [PCI DSS Compliance][1] for more information. To enable PCI compliance for APM, see [PCI DSS compliance for APM][1]. - -[1]: /data_security/pci_compliance/ -[2]: /data_security/pci_compliance/?tab=apm - -{{< /site-region >}} - -{{< site-region region="us3,us5,eu,gov,ap1,ap2" >}} - -PCI DSS compliance for Log Management is not available for the {{< region-param key="dd_site_name" >}} site. - -{{< /site-region >}} - ## Endpoint encryption All log submission endpoints are encrypted. These legacy endpoints are still supported: diff --git a/content/en/logs/_index.md b/content/en/logs/_index.md index dc4e031fc6a0d..914cd4356bc49 100644 --- a/content/en/logs/_index.md +++ b/content/en/logs/_index.md @@ -65,8 +65,6 @@ Datadog Log Management, also referred to as Datadog logs or logging, removes the Logging without Limits\* enables a streamlined troubleshooting experience in the [Log Explorer][1], which empowers you and your teams to quickly assess and fix your infrastructure issues. It provides intuitive archiving to support your security and IT teams during audits and assessments. Logging without Limits* also powers [Datadog Cloud SIEM][2], which detects security threats in your environment, without requiring you to index logs. -**Note**: See [PCI DSS Compliance][3] for information on setting up a PCI-compliant Datadog organization. - {{< vimeo url="https://player.vimeo.com/progressive_redirect/playback/293195142/rendition/1080p/file.mp4?loc=external&signature=8a45230b500688315ef9c8991ce462f20ed1660f3edff3d2904832e681bd6000" poster="/images/poster/logs.png" >}}
@@ -117,7 +115,6 @@ Start exploring your ingested logs in the [Log Explorer][1]. [1]: /logs/explorer/ [2]: /security/cloud_siem/ -[3]: /data_security/pci_compliance/ [4]: /logs/log_collection/ [5]: /logs/log_configuration/ [6]: /tracing/other_telemetry/connect_logs_and_traces/ diff --git a/content/en/logs/guide/azure-logging-guide.md b/content/en/logs/guide/azure-logging-guide.md index 7fc24d5357d77..ed13f8a244f02 100644 --- a/content/en/logs/guide/azure-logging-guide.md +++ b/content/en/logs/guide/azure-logging-guide.md @@ -136,21 +136,6 @@ See [Getting started with Azure Functions][307] for more information. {{% /tab %}} {{< /tabs >}} -## Advanced configuration -Refer to the following topics to configure your installation according to your monitoring needs. - -### PCI compliance - -
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site. -
- -To set up PCI-compliant Log Management, you must meet the requirements outlined in [PCI DSS Compliance][6]. Send your logs to the dedicated PCI compliant endpoint: - -Under **Settings > Environment variables**, click **Add** to set the following environment variable: -- Name: `DD_URL` -- Value: `http-intake-pci.logs.datadoghq.com` - ## Log Archiving Archiving logs to Azure Blob Storage requires an App Registration even if you are using the Azure Native integration. To archive logs to Azure Blob Storage, follow the [automatic][7] or [manual][8] setup instructions to configure the integration using an App Registration. App Registrations created for archiving purposes do not need the `Monitoring Reader` role assigned. @@ -168,7 +153,6 @@ After configuring an App Registration, you can [create a log archive][3] that wr [3]: /logs/log_configuration/archives/?tab=azurestorage#configure-an-archive [4]: /logs/guide/azure-native-logging-guide/ [5]: https://learn.microsoft.com/en-us/azure/partner-solutions/datadog/overview -[6]: /data_security/pci_compliance/?tab=logmanagement [7]: /integrations/guide/azure-programmatic-management/#datadog-azure-integration [8]: /integrations/guide/azure-manual-setup/#setup [9]: /logs/guide/azure-automated-log-forwarding/ diff --git a/content/en/logs/log_collection/_index.md b/content/en/logs/log_collection/_index.md index 9953fc0d4f01c..a2761cb5dd161 100644 --- a/content/en/logs/log_collection/_index.md +++ b/content/en/logs/log_collection/_index.md @@ -142,7 +142,6 @@ Use the [site][13] selector dropdown on the right side of the page to see suppor | Site | Type | Endpoint | Port | Description | |------|-------------|---------------------------------------------------------------------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | US | HTTPS | `http-intake.logs.datadoghq.com` | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the [Logs HTTP API documentation][1]. | -| US | HTTPS | `agent-http-intake-pci.logs.datadoghq.com` | 443 | Used by the Agent to send logs over HTTPS to an org with PCI DSS compliance enabled. See [PCI DSS compliance for Log Management][3] for more information. | | US | HTTPS | `agent-http-intake.logs.datadoghq.com` | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the [Host Agent Log collection documentation][2]. | | US | HTTPS | `lambda-http-intake.logs.datadoghq.com` | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. | | US | HTTPS | `logs.`{{< region-param key="browser_sdk_endpoint_domain" code="true" >}} | 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. | @@ -154,7 +153,6 @@ Use the [site][13] selector dropdown on the right side of the page to see suppor [1]: /api/latest/logs/#send-logs [2]: /agent/logs/#send-logs-over-https -[3]: /data_security/logs/#pci-dss-compliance-for-log-management {{< /site-region >}} {{< site-region region="eu" >}} diff --git a/content/en/logs/log_collection/javascript.md b/content/en/logs/log_collection/javascript.md index 05982cf7c613c..86403c00e3dbb 100644 --- a/content/en/logs/log_collection/javascript.md +++ b/content/en/logs/log_collection/javascript.md @@ -407,7 +407,6 @@ The following parameters are available to configure the Datadog browser logs SDK | `trackingConsent` | `"granted"` or `"not-granted"` | No | `"granted"` | Set the initial user tracking consent state. See [User Tracking Consent][15]. | | `silentMultipleInit` | Boolean | No | | Prevent logging errors while having multiple init. | | `proxy` | String | No | | Optional proxy URL (ex: `https://www.proxy.com/path`), see the full [proxy setup guide][6] for more information. | -| `usePciIntake` | Boolean | No | `false` | Use PCI-compliant intake. See [PCI DSS Compliance][20] for more information. | | `telemetrySampleRate` | Number | No | `20` | Telemetry data (error, debug logs) about SDK execution is sent to Datadog in order to detect and solve potential issues. Set this option to `0` to opt out from telemetry collection. | | `storeContextsAcrossPages` | Boolean | No | | Store global context and user context in `localStorage` to preserve them along the user navigation. See [Contexts life cycle][11] for more details and specific limitations. | | `allowUntrustedEvents` | Boolean | No | | Allow capture of [untrusted events][13], for example in automated UI tests. | @@ -424,7 +423,6 @@ Options that must have a matching configuration when using the `RUM` SDK: | `trackSessionAcrossSubdomains` | Boolean | No | `false` | Preserve the session across subdomains for the same site. | | `useSecureSessionCookie` | Boolean | No | `false` | Use a secure session cookie. This disables logs sent on insecure (non-HTTPS) connections. | | `usePartitionedCrossSiteSessionCookie` | Boolean | No | `false` | Use a partitioned secure cross-site session cookie. This allows the logs SDK to run when the site is loaded from another one (iframe). Implies `useSecureSessionCookie`. | -| `usePciIntake` | Boolean | No | `false` | To forward logs to the [PCI-compliant intake][16], set to `true`. The PCI-compliant intake is only available for Datadog organizations in the US1 site. If `usePciIntake` is set to `true` and the site is not US1 (datadoghq.com), logs are sent to the default intake. | ## Usage @@ -1410,8 +1408,6 @@ window.DD_LOGS && window.DD_LOGS.getInternalContext() // { session_id: "xxxx-xxx [13]: https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted [14]: /integrations/content_security_policy_logs/#use-csp-with-real-user-monitoring-and-session-replay [15]: #user-tracking-consent -[16]: https://docs.datadoghq.com/data_security/logs/#pci-dss-compliance-for-log-management [17]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#micro-frontend [18]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#enrich-and-control-rum-data [19]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#discard-a-rum-event -[20]: /data_security/pci_compliance/?tab=logmanagement diff --git a/content/en/logs/log_configuration/_index.md b/content/en/logs/log_configuration/_index.md index 6f34ccb864ca6..3f065b5a02dd3 100644 --- a/content/en/logs/log_configuration/_index.md +++ b/content/en/logs/log_configuration/_index.md @@ -4,9 +4,6 @@ description: "Process, enrich, control, and manage your logs from the Logs Confi aliases: - /logs/processing further_reading: -- link: "/data_security/pci_compliance/" - tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" - link: "https://www.datadoghq.com/blog/logging-without-limits/" tag: "Blog" text: Learn more about Logging without Limits* @@ -25,8 +22,6 @@ further_reading: Datadog Logging without Limits* decouples log ingestion and indexing. Choose which logs to index and retain, or archive, and manage settings and controls at a top-level from the log configuration page at [**Logs > Pipelines**][1]. -**Note**: See [PCI DSS Compliance][2] for information on setting up a PCI-compliant Datadog organization. - ## Configuration options - Control how your logs are processed with [pipelines][3] and [processors][4]. @@ -49,7 +44,6 @@ Once you've completed configuration, start investigating and troubleshooting log *Logging without Limits is a trademark of Datadog, Inc. [1]: https://app.datadoghq.com/logs/pipelines -[2]: /data_security/pci_compliance/ [3]: /logs/log_configuration/pipelines [4]: /logs/log_configuration/processors [5]: /logs/log_configuration/attributes_naming_convention/ diff --git a/content/en/security/sensitive_data_scanner/_index.md b/content/en/security/sensitive_data_scanner/_index.md index e3114eecb6081..abe834705f6a4 100644 --- a/content/en/security/sensitive_data_scanner/_index.md +++ b/content/en/security/sensitive_data_scanner/_index.md @@ -47,8 +47,6 @@ further_reading: Sensitive data, such as credit card numbers, API keys, IP addresses, and personally identifiable information (PII) are often leaked unintentionally, which can expose your organization to security and compliance risks. Sensitive data can be found in your telemetry data, such as application logs, APM spans, RUM events, events from Event Management. It can also be unintentionally moved to cloud storage resources when engineering teams move their workloads to the cloud. Datadog's Sensitive Data Scanner can help prevent sensitive data leaks and limit non-compliance risks by discovering, classifying, and optionally redacting sensitive data. -**Note**: See [PCI DSS Compliance][1] for information on setting up a PCI-compliant Datadog organization. - ## Scan telemetry data {{< img src="sensitive_data_scanner/telemetry_data_issues.png" alt="Five different sensitive issues detected where two have critical priority, one has medium priority, and two are info." style="width:100%;" >}} @@ -125,7 +123,6 @@ When Sensitive Data Scanner is enabled, an [out-of-the-box dashboard][15] summar {{< partial name="whats-next/whats-next.html" >}} -[1]: /data_security/pci_compliance/ [2]: /security/sensitive_data_scanner/scanning_rules/library_rules/ [3]: /security/sensitive_data_scanner/scanning_rules/custom_rules/ [4]: /security/sensitive_data_scanner/setup/telemetry_data/ diff --git a/content/en/tracing/configure_data_security/_index.md b/content/en/tracing/configure_data_security/_index.md index de38de9b77f22..d31065ceaf649 100644 --- a/content/en/tracing/configure_data_security/_index.md +++ b/content/en/tracing/configure_data_security/_index.md @@ -9,10 +9,6 @@ aliases: - /tracing/custom_instrumentation/agent_customization - /tracing/faq/if-i-instrument-a-database-with-datadog-apm-will-there-be-sensitive-database-data-sent-to-datadog - /tracing/setup_overview/configure_data_security/ -further_reading: -- link: "/data_security/pci_compliance/" - tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" --- ## Overview From 6101fecd170a525fa1e481fc1a91bcf998635774 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Thu, 7 Aug 2025 18:27:10 -0400 Subject: [PATCH 3/9] Re-add PCI Compliance docs with updated links --- config/_default/menus/main.en.yaml | 5 +++ .../account_management/audit_trail/_index.md | 6 ++++ content/en/data_security/pci_compliance.md | 34 +++++++++++++++++++ content/en/logs/log_configuration/_index.md | 4 +++ .../destinations/datadog_logs.md | 4 +-- .../security/sensitive_data_scanner/_index.md | 5 ++- .../tracing/configure_data_security/_index.md | 23 ------------- 7 files changed, 54 insertions(+), 27 deletions(-) create mode 100644 content/en/data_security/pci_compliance.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 7323542081542..a3ce785409ae2 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8028,6 +8028,11 @@ menu: url: data_security/real_user_monitoring/ parent: data_security weight: 6 + - name: PCI Compliance + identifier: data_security_pci_compliance + url: data_security/pci_compliance/ + parent: data_security + weight: 7 - name: HIPAA Compliance identifier: data_security_hipaa_compliance url: data_security/hipaa_compliance/ diff --git a/content/en/account_management/audit_trail/_index.md b/content/en/account_management/audit_trail/_index.md index 94073a615b672..574b0c3edf929 100644 --- a/content/en/account_management/audit_trail/_index.md +++ b/content/en/account_management/audit_trail/_index.md @@ -9,6 +9,9 @@ further_reading: - link: "/account_management/org_settings/" tag: "Documentation" text: "Learn about organization settings" +- link: "/data_security/pci_compliance/" + tag: "Documentation" + text: "PCI DSS Compliance" - link: "https://www.datadoghq.com/blog/compliance-governance-transparency-with-datadog-audit-trail/" tag: "Blog" text: "Build compliance, governance, and transparency across your teams with Datadog Audit Trail" @@ -41,6 +44,8 @@ For security admins or InfoSec teams, audit trail events help with compliance ch You can also analyze Audit Trail events with [Cloud SIEM][15] to detect threats and generate security signals. See [Getting Started with Cloud SIEM][16] for more information. +**Note**: Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][2]. + ## Setup To enable Datadog Audit Trail, navigate to your [Organization Settings][3] and select *Audit Trail Settings* under *COMPLIANCE*. Click the **Enable** button. @@ -223,6 +228,7 @@ Datadog Audit Trail comes with an [out-of-the-box dashboard][13] that shows vari {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/audit-trail +[2]: /data_security/pci_compliance/ [3]: https://app.datadoghq.com/organization-settings/ [4]: https://app.datadoghq.com/event/explorer [5]: /logs/explorer/ diff --git a/content/en/data_security/pci_compliance.md b/content/en/data_security/pci_compliance.md new file mode 100644 index 0000000000000..851ee53e6f7b4 --- /dev/null +++ b/content/en/data_security/pci_compliance.md @@ -0,0 +1,34 @@ +--- +title: PCI DSS Compliance +further_reading: +- link: "https://trust.datadoghq.com/" + tag: "Datadog Trust Center" + text: "Learn about Datadog's security posture and review security documentation" +--- + +## Overview + +The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations often separate PCI-regulated data (such as cardholder data) and non-regulated data into different applications for monitoring and compliance purposes. + +**Datadog's tools and policies comply with PCI v4.0**. To understand the full scope of Datadog's environment and how it relates to customer responsibilities under the relevant PCI-DSS controls, download the Customer Responsibility Matrix and the Attestation of Compliance (AoC) from the [Datadog Trust Center][1]. + +Datadog's Attestation of Compliance (AoC) reflects the tools and policies we have in place to maintain a Connected PCI environment as a service provider. The Datadog platform supports connections to cardholder data environments (CDE) as a Connected PCI environment, but does not serve as a CDE itself for storing, processing, or transmitting cardholder data (CHD). +It is the customer's responsibility to prevent any CHD from entering the Datadog platform. See below for some tools customers can use to meet this requirement. + +## Recommended tools for PCI compliance + +To help maintain PCI compliance, **Datadog strongly recommends** the use of the following tools and process: +- [**Sensitive Data Scanner**][2]: discover, classify, and redact sensitive cardholder data +- [**Audit Trail**][3]: search and analyze detailed audit events for up to 90 days for long-term retention and archiving +- [**File Integrity Monitoring**][4]: watch for changes to key files and directories +- [**Cloud Security Management**][5]: track conformance to requirements of industry benchmarks and other controls + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://trust.datadoghq.com/ +[2]: https://docs.datadoghq.com/security/sensitive_data_scanner/ +[3]: https://docs.datadoghq.com/account_management/audit_trail/ +[4]: https://docs.datadoghq.com/security/workload_protection/ +[5]: https://docs.datadoghq.com/security/cloud_security_management/#track-your-organizations-health \ No newline at end of file diff --git a/content/en/logs/log_configuration/_index.md b/content/en/logs/log_configuration/_index.md index 3f065b5a02dd3..daddeb01ef652 100644 --- a/content/en/logs/log_configuration/_index.md +++ b/content/en/logs/log_configuration/_index.md @@ -4,6 +4,9 @@ description: "Process, enrich, control, and manage your logs from the Logs Confi aliases: - /logs/processing further_reading: +- link: "/data_security/pci_compliance/" + tag: "Documentation" + text: "PCI DSS Compliance" - link: "https://www.datadoghq.com/blog/logging-without-limits/" tag: "Blog" text: Learn more about Logging without Limits* @@ -44,6 +47,7 @@ Once you've completed configuration, start investigating and troubleshooting log *Logging without Limits is a trademark of Datadog, Inc. [1]: https://app.datadoghq.com/logs/pipelines +[2]: /data_security/pci_compliance/ [3]: /logs/log_configuration/pipelines [4]: /logs/log_configuration/processors [5]: /logs/log_configuration/attributes_naming_convention/ diff --git a/content/en/observability_pipelines/destinations/datadog_logs.md b/content/en/observability_pipelines/destinations/datadog_logs.md index 9b46506665566..2ba3a775dac12 100644 --- a/content/en/observability_pipelines/destinations/datadog_logs.md +++ b/content/en/observability_pipelines/destinations/datadog_logs.md @@ -34,9 +34,7 @@ To send logs from Observability Pipelines to Datadog using AWS PrivateLink, see - Logs (User HTTP intake): `http-intake.logs.datadoghq.com` - Remote Configuration: `config.datadoghq.com` -**Notes**: -- If you are a PCI-compliant organization, the Worker sends logs over `http-intake-pci.logs.datadoghq.com`, which is not available as an AWS PrivateLink endpoint. -- The `obpipeline-intake.datadoghq.com` endpoint is used for Live Capture and is not available as a PrivateLink endpoint. +**Note**: The `obpipeline-intake.datadoghq.com` endpoint is used for Live Capture and is not available as a PrivateLink endpoint. [1]: https://app.datadoghq.com/observability-pipelines [2]: /observability_pipelines/destinations/#event-batching diff --git a/content/en/security/sensitive_data_scanner/_index.md b/content/en/security/sensitive_data_scanner/_index.md index abe834705f6a4..cb5061e048fbc 100644 --- a/content/en/security/sensitive_data_scanner/_index.md +++ b/content/en/security/sensitive_data_scanner/_index.md @@ -47,6 +47,8 @@ further_reading: Sensitive data, such as credit card numbers, API keys, IP addresses, and personally identifiable information (PII) are often leaked unintentionally, which can expose your organization to security and compliance risks. Sensitive data can be found in your telemetry data, such as application logs, APM spans, RUM events, events from Event Management. It can also be unintentionally moved to cloud storage resources when engineering teams move their workloads to the cloud. Datadog's Sensitive Data Scanner can help prevent sensitive data leaks and limit non-compliance risks by discovering, classifying, and optionally redacting sensitive data. +**Note**: Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][1]. + ## Scan telemetry data {{< img src="sensitive_data_scanner/telemetry_data_issues.png" alt="Five different sensitive issues detected where two have critical priority, one has medium priority, and two are info." style="width:100%;" >}} @@ -123,6 +125,7 @@ When Sensitive Data Scanner is enabled, an [out-of-the-box dashboard][15] summar {{< partial name="whats-next/whats-next.html" >}} +[1]: /data_security/pci_compliance/ [2]: /security/sensitive_data_scanner/scanning_rules/library_rules/ [3]: /security/sensitive_data_scanner/scanning_rules/custom_rules/ [4]: /security/sensitive_data_scanner/setup/telemetry_data/ @@ -130,7 +133,7 @@ When Sensitive Data Scanner is enabled, an [out-of-the-box dashboard][15] summar [6]: /observability_pipelines/processors/sensitive_data_scanner [7]: /observability_pipelines/set_up_pipelines/ [8]: /security/cloud_security_management/setup/agentless_scanning -[9]: /agent/remote_config +[9]: /remote_configuration [10]: /security/sensitive_data_scanner/scanning_rules/library_rules/ [11]: /security/cloud_security_management [12]: /security/sensitive_data_scanner/setup/cloud_storage/ diff --git a/content/en/tracing/configure_data_security/_index.md b/content/en/tracing/configure_data_security/_index.md index d31065ceaf649..9b7c4bdf83f19 100644 --- a/content/en/tracing/configure_data_security/_index.md +++ b/content/en/tracing/configure_data_security/_index.md @@ -684,29 +684,6 @@ export DD_APM_TELEMETRY_ENABLED=false {{% /tab %}} {{< /tabs >}} -## PCI DSS compliance for compliance for APM - -{{< site-region region="us" >}} - -
-PCI compliance for APM is only available for Datadog organizations in the US1 site. -
- -To set up a PCI-compliant Datadog org, follow these steps: - -{{% pci-apm %}} - -See [PCI DSS Compliance][1] for more information. To enable PCI compliance for logs, see [PCI DSS compliance for Log Management][2]. - -[1]: /data_security/pci_compliance/ -[2]: /data_security/pci_compliance/?tab=logmanagement - -{{< /site-region >}} - -{{< site-region region="us2,us3,us5,eu,gov" >}} -PCI compliance for APM is not available for the {{< region-param key="dd_site_name" >}} site. -{{< /site-region >}} - ## Further Reading {{< partial name="whats-next/whats-next.html" >}} From 070a8c2541d9312a3c7ac2359dc6b775a174e546 Mon Sep 17 00:00:00 2001 From: jinatdatadog <97474042+jinatdatadog@users.noreply.github.com> Date: Fri, 8 Aug 2025 09:08:06 -0400 Subject: [PATCH 4/9] Update content/en/data_security/pci_compliance.md Co-authored-by: Esther Kim --- content/en/data_security/pci_compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/data_security/pci_compliance.md b/content/en/data_security/pci_compliance.md index 851ee53e6f7b4..03916e2ed5dbe 100644 --- a/content/en/data_security/pci_compliance.md +++ b/content/en/data_security/pci_compliance.md @@ -13,7 +13,7 @@ The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monito **Datadog's tools and policies comply with PCI v4.0**. To understand the full scope of Datadog's environment and how it relates to customer responsibilities under the relevant PCI-DSS controls, download the Customer Responsibility Matrix and the Attestation of Compliance (AoC) from the [Datadog Trust Center][1]. Datadog's Attestation of Compliance (AoC) reflects the tools and policies we have in place to maintain a Connected PCI environment as a service provider. The Datadog platform supports connections to cardholder data environments (CDE) as a Connected PCI environment, but does not serve as a CDE itself for storing, processing, or transmitting cardholder data (CHD). -It is the customer's responsibility to prevent any CHD from entering the Datadog platform. See below for some tools customers can use to meet this requirement. +It is your responsibility to prevent any CHD from entering the Datadog platform. ## Recommended tools for PCI compliance From b8f776092a1c6bb5c69336f135355d773f41ccaf Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Fri, 8 Aug 2025 09:25:22 -0400 Subject: [PATCH 5/9] Update content/en/data_security/pci_compliance.md --- content/en/data_security/pci_compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/data_security/pci_compliance.md b/content/en/data_security/pci_compliance.md index 03916e2ed5dbe..92eee0de5c944 100644 --- a/content/en/data_security/pci_compliance.md +++ b/content/en/data_security/pci_compliance.md @@ -27,7 +27,7 @@ To help maintain PCI compliance, **Datadog strongly recommends** the use of the {{< partial name="whats-next/whats-next.html" >}} -[1]: https://trust.datadoghq.com/ +[1]: https://trust.datadoghq.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click [2]: https://docs.datadoghq.com/security/sensitive_data_scanner/ [3]: https://docs.datadoghq.com/account_management/audit_trail/ [4]: https://docs.datadoghq.com/security/workload_protection/ From 757474c000795d1b121e0b52cad4b4e88b2a01e5 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Fri, 8 Aug 2025 09:46:57 -0400 Subject: [PATCH 6/9] Readd the further reading links --- content/en/data_security/logs.md | 10 ++++++++-- content/en/tracing/configure_data_security/_index.md | 7 ++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/content/en/data_security/logs.md b/content/en/data_security/logs.md index b480ff4ada63c..13a35971e0e7f 100644 --- a/content/en/data_security/logs.md +++ b/content/en/data_security/logs.md @@ -6,13 +6,18 @@ further_reading: - link: "/data_security/" tag: "Documentation" text: "Review the main categories of data submitted to Datadog" +- link: "/data_security/pci_compliance/" + tag: "Documentation" + text: "PCI DSS Compliance" ---
This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the Security section.
The Log Management product supports multiple [environments and formats][1], allowing you to submit to Datadog nearly any data you choose. This article describes the main security guarantees and filtering controls available to you when submitting logs to Datadog. -**Note**: Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product. +**Notes**: +- Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product. +- Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][10]. ## Information security @@ -57,4 +62,5 @@ All log submission endpoints are encrypted. These legacy endpoints are still sup [6]: https://www.datadoghq.com/legal/hipaa-eligible-services/ [7]: /security/sensitive_data_scanner/ [8]: /observability_pipelines/processors/sensitive_data_scanner -[9]: /observability_pipelines/ \ No newline at end of file +[9]: /observability_pipelines/ +[10]: /data_security/pci_compliance/ \ No newline at end of file diff --git a/content/en/tracing/configure_data_security/_index.md b/content/en/tracing/configure_data_security/_index.md index 9b7c4bdf83f19..b141a67e74375 100644 --- a/content/en/tracing/configure_data_security/_index.md +++ b/content/en/tracing/configure_data_security/_index.md @@ -9,10 +9,14 @@ aliases: - /tracing/custom_instrumentation/agent_customization - /tracing/faq/if-i-instrument-a-database-with-datadog-apm-will-there-be-sensitive-database-data-sent-to-datadog - /tracing/setup_overview/configure_data_security/ +further_reading: +- link: "/data_security/pci_compliance/" + tag: "Documentation" + text: "PCI DSS Compliance" --- ## Overview -Datadog tracing libraries collect data from an instrumented application. That data is sent to Datadog as traces and it may contain sensitive data such as personally identifiable information (PII). If you are ingesting sensitive data as traces into Datadog, remediations can be added at ingestion with [Sensitive Data Scanner][12]. You can also configure the Datadog Agent or the tracing library to remediate sensitive data at collection before traces are sent to Datadog. +Datadog tracing libraries collect data from an instrumented application. That data is sent to Datadog as traces and it may contain sensitive data such as personally identifiable information (PII). If you are ingesting sensitive data as traces into Datadog, remediations can be added at ingestion with [Sensitive Data Scanner][12]. You can also configure the Datadog Agent or the tracing library to remediate sensitive data at collection before traces are sent to Datadog. Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][14]. If the configurations described here do not cover your compliance requirements, reach out to [the Datadog support team][1]. @@ -701,3 +705,4 @@ export DD_APM_TELEMETRY_ENABLED=false [11]: https://ddtrace.readthedocs.io/en/stable/advanced_usage.html#trace-filtering [12]: /security/sensitive_data_scanner/ [13]: /security/application_security/how-it-works/#data-privacy +[14]: /data_security/pci_compliance/ \ No newline at end of file From a638049aad35929f301902f225badf6a4ea06f75 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Fri, 8 Aug 2025 10:08:36 -0400 Subject: [PATCH 7/9] Remove PCI config shortcodes --- layouts/shortcodes/pci-apm.en.md | 32 ----------------------------- layouts/shortcodes/pci-logs.en.md | 34 ------------------------------- 2 files changed, 66 deletions(-) delete mode 100644 layouts/shortcodes/pci-apm.en.md delete mode 100644 layouts/shortcodes/pci-logs.en.md diff --git a/layouts/shortcodes/pci-apm.en.md b/layouts/shortcodes/pci-apm.en.md deleted file mode 100644 index 7256fad9296b6..0000000000000 --- a/layouts/shortcodes/pci-apm.en.md +++ /dev/null @@ -1,32 +0,0 @@ -To set up PCI compliant Application Performance Monitoring, you must meet the following requirements: -- Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven't already enabled Audit Trail, it is _automatically enabled_ once the org is configured as PCI-compliant (after following the steps below). -- Your Datadog organization is in the US1 site. -- All spans sent to the PCI endpoints using HTTPS only. If you are using the Agent to send spans, you should enforce HTTPS transport. -- **All** your spans endpoints need to be changed to the PCI endpoints for spans. -- You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on [Datadog's Trust Center][105] - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support. - -To begin **onboarding**: -1. Contact [Datadog support][101] or your [Customer Success Manager][102] to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met. -2. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the respective configuration file to send spans to the dedicated PCI compliant endpoint: - -- `https://trace-pci.agent.datadoghq.com` for Agent and non-Agent traffic - -3. For example, add the following lines to the Agent configuration file: -``` -apm_config: - apm_dd_url: -``` -4. All spans that are sent to the PCI compliant endpoint(s) automatically have a set of [Sensitive Data Scanner][106] PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enabled for PCI DSS compliance and are included with no additional charge. Note that Sensitive Data Scanner for PCI customers does not include the Summary page or estimated usage metric capabilities. - -To finish onboarding and be moved to **compliant**: -1. Inform your [Datadog support][101] or your [Customer Success Manager][102] that you have moved over **all** your endpoints to the PCI compliant endpoint(s). -2. Once confirmed by Datadog, your span configuration and Application Performance Monitoring is considered PCI-compliant. - -If you have any questions about how your now PCI-compliant Application Performance Monitoring satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up [PCI-compliant Log Management][104]. - -[101]: /help/ -[102]: mailto:success@datadoghq.com -[103]: /account_management/audit_trail/#setup -[104]: /data_security/pci_compliance/?tab=logmanagement -[105]: https://trust.datadoghq.com/ -[106]: /sensitive_data_scanner diff --git a/layouts/shortcodes/pci-logs.en.md b/layouts/shortcodes/pci-logs.en.md deleted file mode 100644 index 04ef9ab7eb576..0000000000000 --- a/layouts/shortcodes/pci-logs.en.md +++ /dev/null @@ -1,34 +0,0 @@ -To set up PCI-compliant Log Management, you must meet the following requirements: -- Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven't already enabled Audit Trail, it is _automatically enabled_ once the org is configured as PCI-compliant (after following the steps below). -- Your Datadog organization is in the US1 site. -- All logs sent to the PCI endpoints using HTTPS only. If you are using the Agent to send logs, you should enforce HTTPS transport. -- **All** your logs endpoints need to be changed to the PCI endpoints for logs. -- You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on [Datadog's Trust Center][105] - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support. - -To begin **onboarding**: -1. Contact [Datadog support][101] or your [Customer Success Manager][102] to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met. -2. After Datadog support or Customer Success confirms that the org is ready to onboard, configure the respective configuration file to send all your logs to the dedicated PCI compliant endpoint(s): - -- `agent-http-intake-pci.logs.datadoghq.com:443` for Agent traffic -- `http-intake-pci.logs.datadoghq.com:443` for non-Agent traffic -- `pci.browser-intake-datadoghq.com:443` for browser logs - -3. For example, add the following lines to the Agent configuration file: - ``` - logs_config: - logs_dd_url: agent-http-intake-pci.logs.datadoghq.com:443 - ``` -4. All logs that are sent to the PCI compliant endpoint(s) automatically have a set of [Sensitive Data Scanner][106] PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enabled for PCI DSS compliance and are included with no additional charge. Note that Sensitive Data Scanner for PCI customers does not include the Summary page or estimated usage metric capabilities. - -To finish onboarding and be moved to **compliant**: -1. Inform your [Datadog support][101] or your [Customer Success Manager][102] that you have moved over **all** your endpoints to the PCI compliant endpoint(s). -2. Once confirmed by Datadog, your Logs and Log Management is considered to be PCI-compliant. - -If you have any questions about how your now PCI-compliant Log Management satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up [PCI-compliant Application Performance Monitoring][104]. - -[101]: /help/ -[102]: mailto:success@datadoghq.com -[103]: /account_management/audit_trail/#setup -[104]: /data_security/pci_compliance/?tab=apm -[105]: https://trust.datadoghq.com/ -[106]: /sensitive_data_scanner From bef06471a74a684d4a316d0df39880bcc7dd6470 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Fri, 8 Aug 2025 11:11:08 -0400 Subject: [PATCH 8/9] Apply suggestions from code review Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- content/en/account_management/audit_trail/_index.md | 2 +- content/en/data_security/logs.md | 2 +- content/en/data_security/pci_compliance.md | 8 ++++---- content/en/security/sensitive_data_scanner/_index.md | 2 +- content/en/tracing/configure_data_security/_index.md | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/en/account_management/audit_trail/_index.md b/content/en/account_management/audit_trail/_index.md index 574b0c3edf929..af0d56063207d 100644 --- a/content/en/account_management/audit_trail/_index.md +++ b/content/en/account_management/audit_trail/_index.md @@ -44,7 +44,7 @@ For security admins or InfoSec teams, audit trail events help with compliance ch You can also analyze Audit Trail events with [Cloud SIEM][15] to detect threats and generate security signals. See [Getting Started with Cloud SIEM][16] for more information. -**Note**: Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][2]. +**Note**: Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][2]. ## Setup diff --git a/content/en/data_security/logs.md b/content/en/data_security/logs.md index 13a35971e0e7f..e8fe480299ef4 100644 --- a/content/en/data_security/logs.md +++ b/content/en/data_security/logs.md @@ -17,7 +17,7 @@ The Log Management product supports multiple [environments and formats][1], allo **Notes**: - Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product. -- Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][10]. +- Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][10]. ## Information security diff --git a/content/en/data_security/pci_compliance.md b/content/en/data_security/pci_compliance.md index 92eee0de5c944..ba1986153bd9f 100644 --- a/content/en/data_security/pci_compliance.md +++ b/content/en/data_security/pci_compliance.md @@ -28,7 +28,7 @@ To help maintain PCI compliance, **Datadog strongly recommends** the use of the {{< partial name="whats-next/whats-next.html" >}} [1]: https://trust.datadoghq.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click -[2]: https://docs.datadoghq.com/security/sensitive_data_scanner/ -[3]: https://docs.datadoghq.com/account_management/audit_trail/ -[4]: https://docs.datadoghq.com/security/workload_protection/ -[5]: https://docs.datadoghq.com/security/cloud_security_management/#track-your-organizations-health \ No newline at end of file +[2]: /security/sensitive_data_scanner/ +[3]: /account_management/audit_trail/ +[4]: /security/workload_protection/ +[5]: /security/cloud_security_management/#track-your-organizations-health \ No newline at end of file diff --git a/content/en/security/sensitive_data_scanner/_index.md b/content/en/security/sensitive_data_scanner/_index.md index cb5061e048fbc..66da314527a27 100644 --- a/content/en/security/sensitive_data_scanner/_index.md +++ b/content/en/security/sensitive_data_scanner/_index.md @@ -47,7 +47,7 @@ further_reading: Sensitive data, such as credit card numbers, API keys, IP addresses, and personally identifiable information (PII) are often leaked unintentionally, which can expose your organization to security and compliance risks. Sensitive data can be found in your telemetry data, such as application logs, APM spans, RUM events, events from Event Management. It can also be unintentionally moved to cloud storage resources when engineering teams move their workloads to the cloud. Datadog's Sensitive Data Scanner can help prevent sensitive data leaks and limit non-compliance risks by discovering, classifying, and optionally redacting sensitive data. -**Note**: Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][1]. +**Note**: Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][1]. ## Scan telemetry data diff --git a/content/en/tracing/configure_data_security/_index.md b/content/en/tracing/configure_data_security/_index.md index b141a67e74375..78639d2b8eb86 100644 --- a/content/en/tracing/configure_data_security/_index.md +++ b/content/en/tracing/configure_data_security/_index.md @@ -16,7 +16,7 @@ further_reading: --- ## Overview -Datadog tracing libraries collect data from an instrumented application. That data is sent to Datadog as traces and it may contain sensitive data such as personally identifiable information (PII). If you are ingesting sensitive data as traces into Datadog, remediations can be added at ingestion with [Sensitive Data Scanner][12]. You can also configure the Datadog Agent or the tracing library to remediate sensitive data at collection before traces are sent to Datadog. Datadog's tools and policies comply with PCI v4.0. For more information see [PCI DSS Compliance][14]. +Datadog tracing libraries collect data from an instrumented application. That data is sent to Datadog as traces and it may contain sensitive data such as personally identifiable information (PII). If you are ingesting sensitive data as traces into Datadog, remediations can be added at ingestion with [Sensitive Data Scanner][12]. You can also configure the Datadog Agent or the tracing library to remediate sensitive data at collection before traces are sent to Datadog. Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][14]. If the configurations described here do not cover your compliance requirements, reach out to [the Datadog support team][1]. From d14244d58f9b69d4fe30eb59242ea26c78473c66 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Fri, 8 Aug 2025 14:31:06 -0400 Subject: [PATCH 9/9] Restore shortcode to fix build issue --- layouts/shortcodes/pci-apm.en.md | 32 +++++++++++++++++++++++++++++ layouts/shortcodes/pci-logs.en.md | 34 +++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 layouts/shortcodes/pci-apm.en.md create mode 100644 layouts/shortcodes/pci-logs.en.md diff --git a/layouts/shortcodes/pci-apm.en.md b/layouts/shortcodes/pci-apm.en.md new file mode 100644 index 0000000000000..7256fad9296b6 --- /dev/null +++ b/layouts/shortcodes/pci-apm.en.md @@ -0,0 +1,32 @@ +To set up PCI compliant Application Performance Monitoring, you must meet the following requirements: +- Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven't already enabled Audit Trail, it is _automatically enabled_ once the org is configured as PCI-compliant (after following the steps below). +- Your Datadog organization is in the US1 site. +- All spans sent to the PCI endpoints using HTTPS only. If you are using the Agent to send spans, you should enforce HTTPS transport. +- **All** your spans endpoints need to be changed to the PCI endpoints for spans. +- You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on [Datadog's Trust Center][105] - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support. + +To begin **onboarding**: +1. Contact [Datadog support][101] or your [Customer Success Manager][102] to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met. +2. After Datadog support or Customer Success confirms that the org is PCI DSS compliant, configure the respective configuration file to send spans to the dedicated PCI compliant endpoint: + +- `https://trace-pci.agent.datadoghq.com` for Agent and non-Agent traffic + +3. For example, add the following lines to the Agent configuration file: +``` +apm_config: + apm_dd_url: +``` +4. All spans that are sent to the PCI compliant endpoint(s) automatically have a set of [Sensitive Data Scanner][106] PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enabled for PCI DSS compliance and are included with no additional charge. Note that Sensitive Data Scanner for PCI customers does not include the Summary page or estimated usage metric capabilities. + +To finish onboarding and be moved to **compliant**: +1. Inform your [Datadog support][101] or your [Customer Success Manager][102] that you have moved over **all** your endpoints to the PCI compliant endpoint(s). +2. Once confirmed by Datadog, your span configuration and Application Performance Monitoring is considered PCI-compliant. + +If you have any questions about how your now PCI-compliant Application Performance Monitoring satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up [PCI-compliant Log Management][104]. + +[101]: /help/ +[102]: mailto:success@datadoghq.com +[103]: /account_management/audit_trail/#setup +[104]: /data_security/pci_compliance/?tab=logmanagement +[105]: https://trust.datadoghq.com/ +[106]: /sensitive_data_scanner diff --git a/layouts/shortcodes/pci-logs.en.md b/layouts/shortcodes/pci-logs.en.md new file mode 100644 index 0000000000000..04ef9ab7eb576 --- /dev/null +++ b/layouts/shortcodes/pci-logs.en.md @@ -0,0 +1,34 @@ +To set up PCI-compliant Log Management, you must meet the following requirements: +- Audit Trail must be enabled and remain enabled for PCI DSS compliance. If you haven't already enabled Audit Trail, it is _automatically enabled_ once the org is configured as PCI-compliant (after following the steps below). +- Your Datadog organization is in the US1 site. +- All logs sent to the PCI endpoints using HTTPS only. If you are using the Agent to send logs, you should enforce HTTPS transport. +- **All** your logs endpoints need to be changed to the PCI endpoints for logs. +- You may request access to the PCI Attestation of Compliance and Customer Responsibility Matrix on [Datadog's Trust Center][105] - note that these documents are only applicable once you have finished all the onboarding steps and have been manually configured to be compliant by Datadog support. + +To begin **onboarding**: +1. Contact [Datadog support][101] or your [Customer Success Manager][102] to request to being the PCI onboarding process while ensuring the necessary PCI requirements are met. +2. After Datadog support or Customer Success confirms that the org is ready to onboard, configure the respective configuration file to send all your logs to the dedicated PCI compliant endpoint(s): + +- `agent-http-intake-pci.logs.datadoghq.com:443` for Agent traffic +- `http-intake-pci.logs.datadoghq.com:443` for non-Agent traffic +- `pci.browser-intake-datadoghq.com:443` for browser logs + +3. For example, add the following lines to the Agent configuration file: + ``` + logs_config: + logs_dd_url: agent-http-intake-pci.logs.datadoghq.com:443 + ``` +4. All logs that are sent to the PCI compliant endpoint(s) automatically have a set of [Sensitive Data Scanner][106] PCI rules that are applied to scrub any cardholder data. These dedicated PCI rules must be enabled for PCI DSS compliance and are included with no additional charge. Note that Sensitive Data Scanner for PCI customers does not include the Summary page or estimated usage metric capabilities. + +To finish onboarding and be moved to **compliant**: +1. Inform your [Datadog support][101] or your [Customer Success Manager][102] that you have moved over **all** your endpoints to the PCI compliant endpoint(s). +2. Once confirmed by Datadog, your Logs and Log Management is considered to be PCI-compliant. + +If you have any questions about how your now PCI-compliant Log Management satisfies the applicable requirements under PCI DSS, contact your account manager. See information on setting up [PCI-compliant Application Performance Monitoring][104]. + +[101]: /help/ +[102]: mailto:success@datadoghq.com +[103]: /account_management/audit_trail/#setup +[104]: /data_security/pci_compliance/?tab=apm +[105]: https://trust.datadoghq.com/ +[106]: /sensitive_data_scanner