PCI-DSS compliance controls
PCI-DSS compliance controls provide enhancements that help you with payment card industry (PCI) compliance for your workspace.
PCI-DSS compliance controls require enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled if it’s needed.
Which compute resources get enhanced security
The compliance security profile enhancements apply to compute resources in the classic compute plane in all regions.
PCI-DSS supports serverless SQL Warehouses, serverless compute for notebooks and workflows, and serverless DLT pipelines in us-east-1
and ap-southeast-2
. See Compliance security profile compliance standards with serverless compute availability.
Requirements
Your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.
Your Databricks workspace is on the Enterprise pricing tier.
Single sign-on (SSO) authentication is configured for the workspace.
Your workspace enables the compliance security profile and adds the PCI-DSS compliance standard as part of the compliance security profile configuration.
You must use the following VM instance types:
General purpose:
M-fleet
,Md-fleet
,M5dn
,M5n
,M5zn
,M7g
,M7gd
,M6i
,M7i
,M6id
,M6in
,M6idn
Compute optimized:
C5a
,C5ad
,C5n
,C6gn
,C7g
,C7gd
,C7gn
,C6i
,C6id
,C7i
,C6in
Memory optimized:
R-fleet
,Rd-fleet
,R7g
,R7gd
,R6i
,R7i
,R7iz
,R6id
,R6in
,R6idn
Storage optimized:
D3
,D3en
,P3dn
,R5dn
,R5n
,I4i
,I3en
Accelerated computing:
G4dn
,G5
,P4d
,P4de
,P5
Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, and job names.
Enable PCI-DSS compliance controls on a workspace
To configure your workspace to support processing of data regulated by the PCI-DSS standard, the workspace must have the compliance security profile enabled. You can enable the compliance security profile and add the PCI-DSS compliance standard across all workspaces or only on some workspaces.
To enable the compliance security profile and add the PCI-DSS compliance standard for an existing workspace, see Enable enhanced security and compliance features on an existing workspace.
To set an account-level setting to enable the compliance security profile and PCI-DSS for new workspaces, see Set account-level defaults for all new workspaces.
Important
Enabling a compliance standard for a workspace is permanent.
You are solely responsible for ensuring your own compliance with all applicable laws and regulations.
Preview features that are supported for processing credit card payment data
The following preview features are supported for processing of processing credit card payment data:
Workspace-level SCIM provisioning
Workspace-level SCIM provisioning is legacy. Databricks recommends using account-level SCIM provisioning, which is generally available.
Delta Live Tables Hive metastore to Unity Catalog clone API
-
Credential passthrough is deprecated starting with Databricks Runtime 15.0 and will be removed in future Databricks Runtime versions. Databricks recommends that you upgrade to Unity Catalog. Unity Catalog simplifies security and governance of your data by providing a central place to administer and audit data access across multiple workspaces in your account. See What is Unity Catalog?.
Does Databricks permit the processing of credit card payment data on Databricks?
Yes, if you comply with the requirements, enable the compliance security profile, and add the PCI-DSS compliance standard as part of the compliance security profile configuration.