For a customer to be compliant on AppSheet with the Payment Card Industry Data Security Standard (PCI DSS), there are some actions and processes the customer owns under the "Shared Responsibility Model." The following items should be reviewed by customers who are required to be PCI DSS compliant. These items are self-service within AppSheet and need to be addressed for the customer organization (org) to be PCI DSS compliant. The overarching concept is "Google secures the platform, the customer secures their data."
Customer responsibility
The following table lists the requirements for which the customer has responsibility in order to be PCI DSS compliant. For more information about the requirements, see PCI DSS Quick Reference Guide.
| PCI DSS requirement | Section |
| Requirement 3: Protect stored cardholder data | Data masking |
| Requirement 3: Protect stored cardholder data | Data storage |
| Requirement 4: Encrypt transmission of cardholder data across open, public networks | Data encryption |
| Requirement 7: Restrict access to cardholder data by business need to know | Use/Authorizations |
| Requirement 8: Assign a unique ID to each person with computer access | Complex password requirements or OAuth |
| Requirement 10: Track and monitor all access to network resources and cardholder data | Audit trail |
Data masking
AppSheet offers the ability to mark certain data in a customer's data store as sensitive, which obscures it in the audit logs. Masking sensitive data is part of PCI DSS Requirement 3 - Protect stored cardholder data. Any data subject to PCI DSS processed with an AppSheet app must be marked as sensitive by the customer, as described in Sensitive Personally Identifiable Information (PII) data policy.
Data storage
AppSheet does not permanently store customer data, instead it is stored in the data source configured and controlled by the customer. Customers should make sure that any data sources used by AppSheet are PCI DSS compliant per PCI DSS Requirement 3 - Protect stored cardholder data.
Data encryption
AppSheet applications can only be accessed over HTTPs which ensures that traffic between the end user and AppSheet is encrypted. Customers are responsible for ensuring that any data sources are configured to use encryption. See Using data from MySQL for details.
Use/Authorizations
User and policy management is a customer responsibility. Team Root and Admin accounts can create and manage team policies that define access rights for their accounts and applications. Details are provided in Define governance policies.
Complex password requirements or OAuth
Users authenticate to AppSheet apps using OAuth via an identity provider. Customers should make sure that their identity provider is PCI DSS compliant, and that the AppSheet application is restricted to only allow access to signed-in users, as described in Require sign-in: The Essentials. (PCI DSS Requirement 8: Assign a unique ID to each person with computer access}
Audit trail
Customers have the ability to review the audit trail of all administrative activities performed within the customer's org, including the use of Trace. Detailed instructions are provided in Monitor app activity using Audit History. (PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data)