PCI DSS – MongoDB Atlas

The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. MongoDB Cloud has been validated as a PCI compliant service provider by Coalfire Systems, Inc., an independent Qualified Security Assessor (QSA).

What is PCI DSS?

PCI DSS is an information security standard developed by the PCI Standards Security Council, and applies to all entities that store, process, and/or transmit cardholder data.

Is MongoDB Cloud PCI DSS certified?

Yes, MongoDB Cloud has achieved PCI DSS 3.2.1 certification as of September 8, 2020.

I am a PCI DSS merchant. Can I store cardholder data on MongoDB Cloud?

Yes. MongoDB Cloud is a PCI DSS certified service provider. Depending on a customer’s selection, MongoDB Atlas runs MongoDB on Amazon Web Services (AWS), Google Cloud Platform (GCP), and/or Microsoft Azure, which are each PCI DSS compliant. More details about PCI DSS compliance for these cloud providers can be found on their respective websites:

If I use MongoDB Cloud for storing, processing, and/or transmitting cardholder data, will I be automatically compliant with PCI DSS?

No. Customers must manage their own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCS DSS requirements. However, for the portion of the PCI cardholder data environment (CDE) in MongoDB Cloud, your Qualified Security Assessor (QSA) can rely on the MongoDB Cloud Attestation of Compliance (AOC) without further testing.

Where can I download the PCI DSS certificate for MongoDB Cloud?

The MongoDB Cloud PCI Attestation of Compliance (AOC) is available upon request. Please contact us for more information.

Which security features can help towards my PCI DSS compliance?

There are several features available in MongoDB Atlas that may help towards PCI DSS compliance, including:

Configure federated identity with an identity provider.
Create clusters with TLS 1.2 support by default.
Set up network peering or a Private Endpoint so that cardholder data is always encrypted over private networks between your cloud environment and Atlas.
Enable database auditing.
Use client-side field level encryption to encrypt document fields before they are sent to MongoDB Atlas.

Who is the Qualified Security Assessor (QSA) for MongoDB?

Coalfire Systems, Inc. is the independent QSA for MongoDB.

Which MongoDB services are in the scope of the PCI DSS certification?

The scope of PCI DSS 3.2.1 certification includes MongoDB Atlas, MongoDB Realm, MongoDB Charts, and MongoDB Atlas Data Lake. Any products or features that are in beta, preview, or similar are not in scope.

This page is for informational purposes only, and MongoDB does not intend the information or recommendations presented here to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of MongoDB's services as appropriate to support its legal and compliance obligations.