JULY 2023
Foregenix, a Qualified Security Assessor, has performed the requisite audits of Instaclustr™ by NetApp® and issued an Attestation of Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) at Level 1—the highest level of transactions.
The PCI DSS is a set of security standards designed to improve payment account security and prevent fraud throughout the transaction process by increasing control of credit card data. Compliance with the PCI DSS is required of all companies that process, store, or transmit credit card information through the five major payment card brands: American Express, Discover, the Japan Credit Bureau (JCB), MasterCard, and Visa.
Based on the total transaction volume over a 12-month period, companies are evaluated and classified at one of four levels, ranging from Level 1 for companies processing over 6 million transactions annually to Level 4 with fewer than 20,000 transactions a year.
The PCI Security Standards Council (PCI SSC), an independent body created by the major payment card corporations, sets the standards, administers the PCI DSS, and manages its ongoing evolution.
As a PCI-certified service provider, Instaclustr undergoes an annual PCI audit to confirm that it is maintaining the strict security protocols required by the payment card industry. NetApp engages Foregenix, a Qualified Security Assessor (QSA), to validate compliance with the PCI DSS through an assessment that includes quarterly vulnerability scans. In addition to the annual assessment, NetApp engages Foregenix anytime there’s a significant change to the Instaclustr platform. Instaclustr by NetApp has been certified as a Level 1 service provider.
Note that PCI DSS compliance of Instaclustr by NetApp doesn’t translate automatically to PCI DSS certification for the services that customers run on our accredited Instaclustr platform. Customers must engage their own QSA to validate that their services comply with PCI DSS requirements.
Instaclustr has four main offerings covered by PCI certification, which are currently restricted to AWS:
For more details, including the full list of customer requirements for running a PCI-managed service, refer to the PCI compliance documentation.
The Instaclustr management network, which deploys, manages, and monitors all components of a customer’s data infrastructure, must comply with all required PCI controls. This means that even customers who do not elect PCI-level security on their own managed infrastructure still benefit from Instaclustr’s strict adherence to PCI security policies.
