Responsibility Matrix
Purpose
DataDome provides below a detailed matrix of PCI DSS requirements, including the description of whether responsibility for each individual control lies with DataDome, our customers, or whether responsibility is shared between both parties.
Overview
The PCI DSS responsibility matrix is intended for use by DataDome customers and their Qualified Security Assessors (QSAs) for use in audits for PCI compliance. The responsibility matrix describes, in accordance with Requirement 12.8.5 and other requirements, the actions a DataDome customer must take to maintain its own PCI compliance.
Responsibility Matrix
| PCI DSS Req. | Activity | DataDome Responsibility | Customer Responsibility | DataDome RACI | Customer RACI | How This Control Supports Customer Compliance |
|---|---|---|---|---|---|---|
| 6.4.3 | Configure and schedule scans | Runs scans at set frequency; maintains scanning infrastructure. | Defines scan frequency and scope to align with internal PCI policies. | R/A | A | Ensures detection process meets PCI DSS periodic monitoring and scope requirements for script inventory. |
| 6.4.3 | Detect changes to payment page scripts | Detects additions, modifications, and removals of scripts; correlates with historical data. | Ensures all critical scripts are in scope for scanning. | R/A | A | Provides automated monitoring needed to identify unauthorized or unexpected scripts for 6.4.3 compliance. |
| 6.4.3 | Present changes for review | Displays detected changes with context in the portal. | Reviews, classifies, and documents decisions for each change. | R/A | R/A | Supplies the evidence and detail required for the customer to validate and authorize scripts in compliance with PCI DSS. |
| 6.4.3 | Generate Content Security Policy (CSP) | Provides CSP generation tool based on approved scripts. | Validates CSP configuration and owns final policy decision. | R/A | A | Helps enforce only authorized scripts by generating a CSP aligned with approved inventory. |
| 6.4.3 | Deploy CSP to production | Provides CSP export format for deployment. | Deploys CSP to production and verifies it works as intended. | R/A | R/A | Supports enforcement of authorized scripts and prevention of unauthorized execution, aiding 6.4.3 compliance. |
| 7.2 | Assign and manage role-based access | Provides predefined roles based on least privilege. | Assigns appropriate roles to users, reviews regularly, and revokes when not needed. | R/A | R/A | Supports the ability to meet 7.2 by enabling least privilege; failure to configure correctly can result in non-compliance. |
| 8.4 | Configure and enforce multi-factor authentication (MFA) | Provides MFA capability ; enforces MFA where configured by the customer. | Enables MFA for all applicable accounts and enforces policy per PCI DSS requirements. | R/A | R/A | Supports 8.4 compliance by providing MFA capability; failure to enable MFA can cause non-compliance. |
| 10.7.2 | Retain change detection history and user decisions | Stores detections, user responses, and justifications. | Review on regular basis logs to detect and alert when critical security controls fail. | R/A | A | Supplies part of the log retention and review evidence needed to meet PCI DSS 10.7.2. |
| 10.2 / 10.4 / 10.7 | Maintain audit trail of user activity | Captures and retains timestamped audit logs of all user actions in the portal. | Manages user access and authorization, review logs on a regular basis to ensure no malicious action occurred. | R/A | A | Supports PCI DSS logging requirements by providing auditable records of all user activities. |
| 11.6.1 | Configure and schedule scans | Runs scans at set frequency per configuration; maintains scanning infrastructure. | Defines scan frequency and scope to align with internal PCI policies. | R/A | A | Ensures detection process meets PCI DSS periodic monitoring and scope requirements for change and tamper detection. |
| 11.6.1 | Enable and monitor alerting | Provides alerting capabilities for detected changes. | Enables alerts, monitors them, and acts on notifications. | R/A | R | Supports 11.6.1 by ensuring customers receive and respond to alerts about unauthorized changes. |
| 11.6.1 | Detect unauthorized changes | Performs scans to detect changes in scripts, iFrames, CSS, CSP and headers. | Investigates and remediates unauthorized changes; validates effectiveness. | R/A | R/A | Directly enables 11.6.1 compliance by detecting and reporting unauthorized changes. |
| 12.10.5 | Notify on potential incidents | Notifies customers upon detection of incidents | Acknowledge the notifications received by activating the proper response defined in the response plan. | R/A | R/A | Ensures timely communication so the customer can meet incident response and reporting obligations under PCI DSS. |
Updated 3 days ago