Creating a PCI Compliant Apache Kafka Cluster

Overview

The PCI compliance standards relate to the security of user data and transactional information. Customers who require their application to be PCI compliant, or would like to take advantage of its additional security features, can choose to create a PCI compliant Apache Kafka Cluster. You can read more about PCI and our support for it here.

Note: Enabling PCI causes extra logging to occur, for example, to track every action taken by any user. It also activates some OS level security features. Both of these end up having an impact on the performance of the cluster. This should be insignificant in most cases; however, it is recommended you test the performance of your cluster in a non-production environment to ensure any impacts from enabling PCI are acceptable.

Table of Contents

Enable PCI Compliance - Account Security Settings

Before creating an PCI cluster, we need to enable PCI compliance on the account. Navigate to Account Settings under the Settings Cog in the top right of Console. Then select the Security tab.

Select the checkbox under PCI Compliance to make your account PCI compliant. This allows you to access the requirements for using PCI with a cluster.

Note: PCI compliance relies on multi-user access, so we require having 2 account owners in case of loss of access for one person. This satisfies the first section of the PCI requirements.

Creating a Cluster

You can continue with the Console Interface to provision a PCI compliant cluster or alternatively you can use the Instaclustr Provisioning API.

Navigate to the Create Cluster wizard and create a cluster according to your requirements but be sure to enable the PCI Compliance Mode checkbox under Enterprise features. You can refer to our support article on Creating an Apache Kafka Cluster for more information.

Currently, PCI compliance mode is only available for Apache Cassandra, Apache Kafka, OpenSearch, and Redis as the base application, and Amazon Web Services as the infrastructure provider.

Enable Karapace Schema Registry on Kafka PCI clusters

You can enable the Karapace Schema Registry add-on on a Kafka cluster with PCI enabled.

Transitioning an Existing Cluster

If you are looking to transition an existing cluster to become PCI compliant, or have additional questions around our PCI compliant clusters, please contact the Instaclustr Support Team.

Limitations

  • PCI Compliant Kafka clusters can not use the PLAINTEXT listener connection method. This method does not have any authentication or encryption, therefore it is not PCI Compliant.
By Instaclustr Support
Need Support?
Experiencing difficulties on the website or console?
Already have an account?
Need help with your cluster?
Contact Support
Why sign up?
To experience the ease of creating and managing clusters via the Instaclustr Console
Spin up a cluster in minutes