PCI DSS configuration guide for AppSheet

For a customer to be compliant on AppSheet with the Payment Card Industry Data Security Standard (PCI DSS), there are some actions and processes the customer owns under the "Shared Responsibility Model." The following items should be reviewed by customers who are required to be PCI DSS compliant. These items are self-service within AppSheet and need to be addressed for the customer organization (org) to be PCI DSS compliant. The overarching concept is "Google secures the platform, the customer secures their data."

Customer responsibility

The following table lists the requirements for which the customer has responsibility in order to be PCI DSS compliant. For more information about the requirements, see PCI DSS Quick Reference Guide.

For all other PCI DSS requirements not listed in this table, AppSheet and its production environment comply with the standard.
PCI DSS requirement Section
Requirement 3: Protect stored cardholder data Data masking
Requirement 3: Protect stored cardholder data Data storage
Requirement 4: Encrypt transmission of cardholder data across open, public networks Data encryption
Requirement 7: Restrict access to cardholder data by business need to know Use/Authorizations
Requirement 8: Assign a unique ID to each person with computer access Complex password requirements or OAuth 
Requirement 10: Track and monitor all access to network resources and cardholder data Audit trail

Data masking

AppSheet offers the ability to mark certain data in a customer's data store as sensitive, which obscures it in the audit logs. Masking sensitive data is part of PCI DSS Requirement 3 - Protect stored cardholder data. Any data subject to PCI DSS processed with an AppSheet app must be marked as sensitive by the customer, as described in Sensitive Personally Identifiable Information (PII) data policy.

Data storage

AppSheet does not permanently store customer data, instead it is stored in the data source configured and controlled by the customer. Customers should make sure that any data sources used by AppSheet are PCI DSS compliant per PCI DSS Requirement 3 - Protect stored cardholder data.

Data encryption

AppSheet applications can only be accessed over HTTPs which ensures that traffic between the end user and AppSheet is encrypted. Customers are responsible for ensuring that any data sources are configured to use encryption. See Using data from MySQL for details.

Use/Authorizations

User and policy management is a customer responsibility. Team Root and Admin accounts can create and manage team policies that define access rights for their accounts and applications. Details are provided in Define governance policies.

Complex password requirements or OAuth

Users authenticate to AppSheet apps using OAuth via an identity provider. Customers should make sure that their identity provider is PCI DSS compliant, and that the AppSheet application is restricted to only allow access to signed-in users, as described in Require sign-in: The Essentials. (PCI DSS Requirement 8: Assign a unique ID to each person with computer access}

Audit trail

Customers have the ability to review the audit trail of all administrative activities performed within the customer's org, including the use of Trace. Detailed instructions are provided in Monitor app activity using Audit History. (PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data)


 

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Search
Clear search
Close search
Google apps
Main menu
14024538464518101634
true
Search Help Center
true
true
true
false
false