PCI-dss complience


Has anyone been through PCI-DSS compliance with an eventstore as the backbone of the system.

Kind regards


Not GES specifically, but we have certed other DB techs (DSS 2/3.0/3.1, not a level 1 vendor).

It’s pretty standard due diligence stuff, most doesn’t involve the actual DB tech. It’s more about access controls, SDLC docs, access, encryption of sensitive data, facility certs, and other supporting concerns.

But if I’ve learned one thing about PCI, it is always “ask your auditor.” Every rule seems to have exceptions. I assume you have a contract with a compliance service, like Neohapsis?


Pretty much this. Best bet is to speak with an auditor on it.

I know of a company in the US that has PCI compliance and is using Event Store on some of the “critical paths” so it’s certainly not a barrier to it.