The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard developed by the PCI Standards Security Council that applies to all entities that store, process, or transmit cardholder data. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.
Under PCI DSS:
Cardholder Data (CHD) is payment card information that an entity stores, processes, or transmits in its systems.
Cardholder Data Environment (CDE) refers to the systems and networks that store, process, or transmit cardholder data, as well as systems that directly connect to or support the CDE.
MongoDB is a Service Provider, meaning an entity that stores, processes, or transmits cardholder data (CHD) on behalf of another entity, or can impact the security of the cardholder data environment (CDE).
We understand that PCI DSS compliance is a shared responsibility between MongoDB, you, and your end customers. The following sections describe MongoDB Atlas and Atlas For Government features that can support your compliance with PCI DSS.
Important
MongoDB Cloud is a PCI DSS certified service provider as of November 2025. To learn more about MongoDB's PCI DSS validation, including information on contractual agreements, see:
To obtain the MongoDB Cloud PCI Attestation of Compliance (AOC):
Existing customers can request a copy through the Customer Trust Portal
Prospective customers can request access by contacting the MongoDB Sales team
The MongoDB PCI DSS Responsibility Matrix is a formal mapping of PCI DSS controls to the responsible party (MongoDB, the customer, or both). To obtain the Responsibility Matrix:
Existing customers can request a copy through the Customer Trust Portal
Prospective customers can request access by contacting the MongoDB Sales team
Available Database Environments
When you architect systems that handle cardholder data, you can choose between two MongoDB database environments based on your compliance requirements:
MongoDB Atlas is our commercial fully managed database solution. Choose MongoDB Atlas when you want a fully-managed, globally available database solution that is PCI DSS validated.
Atlas For Government is a separate, dedicated environment of MongoDB Atlas built specifically for U.S. government requirements. It is PCI DSS validated and FedRAMP Moderate authorized. Choose Atlas For Government when you want a dedicated, isolated environment that meets multiple USA-centric compliance standards, including PCI DSS.
Note
Recommendations on this page focus on standard Atlas solutions. To learn more about Atlas For Government features and capabilities related to the same topics, see our Atlas For Government documentation.
Protecting Cardholder Data
Data Encryption
PCI DSS requires entities to protect CHD with strong cryptography during transmission over open, public networks (Requirement 4).
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Data Encryption: Ensure data encryption in transit (TLS), at rest (AES-256, BYOK, CMK, KMS, TDE), and in use (CSFLE, Queryable Encryption).
You can also use Atlas Resource Policies to impose a minimum TLS version or require a specific TLS cipher suite configuration for cluster connections.
Database Access Control
PCI DSS requires entities to restrict access to system components and cardholder data by Business Need to Know (Requirement 7).
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Authentication: Control access to your Atlas databases by implementing secure identity management with authentication mechanisms such as Federated Authentication with IdPs, AWS IAM role authentication, multi-factor authentication (MFA), and more.
Guidance for Atlas Authorization: Ensure that only authorized personnel can access CHD based on their specific job functions and responsibilities by implementing secure access management with role-based access control (RBAC).
Network Security Controls
PCI DSS requires entities to install and maintain network security controls to control traffic within an entity's own networks, and also to protect resources from exposure to untrusted networks (Requirement 1).
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Network Security: Safeguard network access to Atlas clusters and protect ePHI during transmission with encryption in transit, IP access lists, firewall configurations, private endpoints, and network isolation.
You can also use Atlas Resource Policies to enforce the following network security standards:
Prohibit the use of the wildcard IP (
0.0.0.0/0) to enforce stricter network controls.Prohibit traffic through public networks by requiring that the IP access list remain empty or by preventing additions to an existing IP access list.
Prevent modifications to VPC peering and private endpoint connections across cloud providers.
Auditing, Monitoring, and Logging System Activity
PCI DSS requires entities to log and monitor all access to system components and CHD (Requirement 10).
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Auditing and Logging: Monitor, record, and review database events such as user authentication attempts and permission adjustments.
Guidance for Atlas Monitoring and Alerts: Track cluster health, performance, and operational metrics, and configure alerts that can surface anomalous activity relevant to CHD.