PCI-DSS Compliance for HashiCorp Vault Secrets

Would HashiCorp Vault Secrets comply with PCI-DSS if I were to apply these methods:

  1. Identify and document how Vault will be used to meet specific PCI requirements.
  2. Develop and implement policies and procedures for using Vault in a PCI-compliant manner.
  3. Ensure Vault is located in the proper network location and access from Vault to CDE systems is limited to what is necessary.
  4. Regularly monitor and audit Vault to ensure ongoing compliance.
  5. Keep track of changes in PCI DSS requirements and adjust your Vault configurations and policies accordingly.

Hi @patrick.bob,

Are you talking about the multi-tenant HCP Vault Secrets service or “Vault Secrets” as in secrets stored in Vault?

Which tool you use, what level of PCI compliance you are required to meet, and what you are storing are all critical considerations.

PCI, generally speaking, like most regulations do not have specific tools, more on how you use the tool to ensure compliance with their rules. I would suggest working with an auditor to ensure your processes are compliant.

Hi @jonathanfrappier ,

I am referring to the multi-tenant HCP Vault Secrets Service. Thak you for your reply, I will look into it with an auditor.

1 Like

HVS is a nice service - but how you use it, what data you’re storing is really critical. For example, anyone with read access to an app can see the full secret, some PCI requirements state only certain people can see the full secret, while others can only see the last 4 characters.