Fivetran provides a platform for syncing many different types of data — including payment card data subject to PCI DSS. We’ve already earned SOC 2 Type II certification and ISO 27001 certification, but now our Business Critical plan has been validated for PCI DSS Level 1. This is critical for ecommerce customers, who can connect Fivetran to their PCI-validated data sources and destinations and transmit cardholder data to their PCI-validated destination.
Why PCI DSS Level 1 Validation Is Important
The Fivetran data pipeline platform gives customers control over the types of data sources they connect and the types of data they replicate. We know that many customers need to sync data from systems within their own cardholder data environment — for example, a database containing credit cards or SaaS apps that provide APIs for querying payment card data. Even if cardholder card data is not synced by Fivetran, the strict requirements that PCI DSS applies to “connected-to & supporting systems” mean that our service needs to have its own PCI DSS validation.
Our mission is to make business data as accessible as electricity, and that means we need to support all the compliance and regulatory requirements our customers follow. PCI DSS is the latest framework in our journey to support every kind of data workload.
What Goes Into PCI Validation?
PCI DSS has 12 requirements encompassing 300 controls, all of which must be documented and assessed on an annual basis by a qualified security assessor (QSA). Here’s a brief overview of the steps we took to achieve PCI validation:
- Identify how and where the organization receives cardholder data (CHD). We’re not a transaction processor, but we are a data integration provider, and as such our services may be used to sync CHD. To meet the requirements of PCI DSS, Fivetran treats all customer data as if it could be CHD.
- Locate and document where account data is stored, processed or transmitted. The customer data environment (CDE) may be present in production environments used to deliver the Fivetran service.
- Identify all other system components, processes and personnel that are in scope. Fivetran has identified system components and services that process CHD or connect to systems that do.
- Implement controls to minimize scope to necessary components, processes and personnel. Fivetran documents controls to limit connectivity between the CDE and other in-scope systems. Fivetran has implemented the following controls to segment the CDE:
- Network segmentation technologies: VPCs, subnets and firewalls
- Encryption of cardholder data when transmitted over networks and stored in Fivetran systems
- Role-based access controls that provide access only to Fivetran personnel with a “need to know”
- Technical access controls using multi-factor authentication and device trust to limit access to production systems
- Security by design in the Fivetran product architecture. Fivetran never shows customer data in the dashboard web application and maintains a default posture of no access to customer data unless explicitly authorized by the customer. We automatically revoke this access after 21 days.
- Implement all applicable PCI DSS requirements. All PCI DSS requirements are documented internally at Fivetran and reviewed annually by Fivetran security personnel.
- Maintain and monitor. PCI DSS controls are reviewed by the Fivetran GRC and internal audit personnel on an annual basis. People, processes and technologies included in scope are accurately identified when changes are made in periodic reviews.
How Does Fivetran Work With PCI-Related Data?
Regarding encryption, data retention and access controls, Fivetran treats all data synchronized through our service in the same way. Data is pulled from the source over a pre-configured connection processed in a single tenant container, and pushed to the customer's destination.
Fivetran maintains an information security management system (ISMS) that complies with the requirements of ISO 27001, PCI DSS and SOC 2 (Security, Availability and Confidentiality criteria). Controls for all compliance frameworks are to be documented in the Fivetran Security Control Library and mapped to NIST 800-53 controls.
Getting Started With PCI DSS Level 1 Certification
PCI validation is available on Fivetran Business Critical, the leading cloud data integration solution for security, data privacy and regulatory compliance.
Fivetran will continue to add additional frameworks and security capabilities to build the most secure and reliable data pipeline ever. If you have a specific regulatory or compliance requirement, please reach out to email@example.com. Our team would be happy to talk with you.
PCI validation is only one of the many security and compliance capabilities we offer. Learn more in our security white paper.