--- layout: handbook-page-toc title: "GitLab PCI Compliance" --- ## On this page {:.no_toc .hidden-md .hidden-lg} - TOC {:toc .hidden-md .hidden-lg} ## What is PCI? PCI is the shorthand for the Payment Card Industry's Data Security Standard (PCI-DSS) as defined by the [PCI security standards council](https://www.pcisecuritystandards.org/). The PCI-DSS defines the requirements of businesses that accept or facilitate credit card payments based on type or amount of transactions accepted or facilitated. ## What are GitLab's requirements for PCI compliance? GitLab is an open core solution that provides both a free and tiered paid plans that primarily utilizes credit card payments for subscriptions. Because of the low number of credit card transactions GitLab is involved with and the fact that we use a third-party payment processor, GitLab is currently a level 4 merchant for PCI. Level 4 merchants are required to complete an annual self-attestation questionnaire (SAQ) and since we fully outsource payment processing, specifically the SAQ-A. Quarterly scanning of our PCI systems must also be performed by an approved scanning vendor (ASV), GitLab uses Tenable.io. ## What is GitLab's current state of PCI compliance? GitLab has completed an SAQ-A form and regularly performs scans of our in-scope PCI systems by an ASV. The SAQ-A form (and associated Attestation of Compliance (AoC)) and the results of our ASV scans are available upon request. Please send an email to [security@gitlab.com](mailto:security@gitlab.com) to request these documents. ## What is considered a PCI system? Determining how a system may interact with the payment processing system is important when defining which systems are in-scope for PCI compliance. The following diagram demonstrates in-scope (connected-to) vs. out-of-scope (not connected-to) when defining the PCI environment: ```mermaid graph TB SubGraph2Flow subgraph "Out-of-Scope B" SubGraph2Flow(System D) end SubGraph1Flow subgraph "Out-of-Scope A" SubGraph1Flow(System C) end subgraph "In-Scope for PCI" Node1[Payment Processing System] --> Node2[Connected-To System A] Node1[Payment Processing System] --> Node3[Connected-To System B] Node2 --> SubGraph1Flow(System C) Node3 --> SubGraph2Flow(System D) end ``` **Please Note:** * Connected-to systems create a buffer for the out-of-scope systems from directly connecting to the payment processing system. * It does not matter where a system resides (i.e. different cloud environment), if it communicates with the payment processing system, it is in-scope for PCI. ## GitLab's PCI Environment ```mermaid graph TB Node10[External Facing Host] Node11[Internal Facing Host] SubGraph4Flow subgraph "Out-of-Scope C" SubGraph4Flow(System E) end SubGraph2Flow subgraph "Out-of-Scope B" SubGraph2Flow(System D) end SubGraph1Flow subgraph "Out-of-Scope A" SubGraph1Flow(System C) end subgraph "In-Scope for PCI" SubGraph3Flow[customers.gitlab.com] -- GitLab Internal OAuth --> Node2[dev.gitlab.org] SubGraph3Flow[customers.gitlab.com] -- GitLab License Managmement --> Node17[license.gitlab.com] SubGraph3Flow[customers.gitlab.com] -- GitLab Configuration Management --> Node3[Chef Server] SubGraph3Flow[customers.gitlab.com] -- Security Logging --> Node7[Gitlab-PCI] Node2 --> SubGraph1Flow(System C) Node3 --> SubGraph2Flow(System D) Node17 --> SubGraph4Flow(System E) end subgraph "External PCI Vendors" Node4[Stripe] -- Zuora iFrame --> SubGraph3Flow[customers.gitlab.com] Node5[Zuora] -- Zuora iFrame --> SubGraph3Flow[customers.gitlab.com] Node20[SalesForce] --> SubGraph3Flow[customers.gitlab.com] sub[Shopify-swag.gitlab.com] end style SubGraph3Flow fill:#ffcccc style Node11 fill:#a2f2a9 style Node10 fill:#ffcccc style Node17 fill:#ffcccc style Node20 fill:#ffcccc style Node7 fill:#a2f2a9 style Node5 fill:#ffcccc style Node4 fill:#ffcccc style Node3 fill:#ffcccc style Node2 fill:#ffcccc style sub fill:#ffcccc style SubGraph2Flow fill:#a2f2a9 style SubGraph4Flow fill:#a2f2a9 style SubGraph1Flow fill:#a2f2a9 ``` ### Systems Detail | System | Purpose | Location | Scope | Reasoning | |---------------------- |------------------------------------------------------------------------------------------------------------------------- |--------------- |------------------ |----------------------------------------------------------------------------------------------------------- | | customers.gitlab.com | GitLab system for providing customers the ability to create and pay for tiered product subscriptions with a credit card | Azure | PCI | Displays the Zuora iFrame to create/manage subscriptions and to process credit card payments using Stripe | | dev.gitlab.org | Gitlab system that hosts the GitLab team member OAuth | Azure | Connected-To PCI | Provides GitLab team members secure access to customers.gitlab.com to maintain and support | | Chef Server | GitLab system for configuration management | Digital Ocean | Connected-To PCI | Provides configuration management for customers.gitlab.com | | gitlab-pci | GitLab system for external logging of customers.gitlab.com (fully segmented GCP project) | GCP | Connected-To PCI | Logs of customers.gitlab.com must be shipped off the system in a secured environment | | license.gitlab.com | GitLab license management system | AWS | Connected-To PCI | Generates licenses that allows customers to run GitLab instances | | SalesForce | Third-party customer resourcee management platform | SalesForce | Connected-To PCI | Ingests customer subscription information from customers.gitlab.com | | Stripe | Third-party payment processor | Stripe | PCI | Payment processor | | Zuora | Third-party subscription management platform | Zuora | PCI | Subscription management platform | | Shopify | Third-party payment processor and swag.gitlab.com host | AWS | PCI | Hosts swag.gitlab.com | ## Service Provider Matrix This is a list of service providers who handle credit card transactions on behalf of GitLab: | Company/Product Name | Service Provided | Risk Assessment | Data Shared | Data Encryption Used | Written Agreement | PCI Validation | Expiration Date | Requirements Responsible For | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Shopify | E-Commerce Platform | Shopify Risk Acceptance | email address, first and last name, shipping address, phone number, and credit card information | in-transit: TLS 1.2+, at-rest: Merchant and customer data is encrypted at rest and sensitive information is further encrypted at the application layer. | [Shopify ToS](https://www.shopify.com/legal/terms) | Shopify AOC | 2019-7-21 | 6 and 7 | | Stripe | Payment Processor | Stripe DPIA | | in-transit: TLS 1.2; at-rest: AES-256 | [Stripe SSA](https://stripe.com/ssa) | Stripe AOC | 2020-2-29 | 6, 7, 11 and 12 | | Zuora | E-Subscription Platform | Zuora DPIA | | in-transit: AES 256 TLS; at-rest: server-side encryption (SSE) with AWS Key Management Service (SSE-KMS) | Zuora MSA (on file) | Zuora AOC | 2019-6-27 | 5, 6, 7, 10, 11 and 12 | #### Matrix Key The following table correlates each column of data back to its specific control:
Column | Control |
---|---|
Company/Product Name | TPM.1.01 - Third Party Assurance Review |
Service Provided | |
Risk Assessment | TPM.1.02 - Vendor Risk Management |
Data Shared | |
Data Encryption Used | |
Written Agreement | TPM.2.02 - Vendor Non-Disclosure Agreement |
PCI Validation |
TPM.1.04 - Vendor Compliance Monitoring |
Expiration Date | |
Requirements Responsible For |