guides
PCI-DSS and Apache Kafka
If your Kafka clusters process cardholder data, they fall under PCI-DSS scope. Requirements like encryption in transit (Req 4), access controls (Req 7), and audit logging (Req 10) all apply to your Kafka infrastructure.
Manually mapping Kafka configurations to PCI-DSS requirements is tedious and error-prone. KafkaGuard automates this.
Running a PCI-DSS Scan
Use the enterprise-default or finance-iso policy tier — both include PCI-DSS control mappings:
kafkaguard scan \
--bootstrap kafka-prod:9092 \
--sasl-mechanism SCRAM-SHA-512 \
--sasl-user audit-user \
--sasl-password "$KAFKA_PASSWORD" \
--policy enterprise-default \
--format pdf \
--out pci-audit-report.pdf
Key PCI-DSS Controls
KafkaGuard checks these PCI-DSS-relevant controls:
| Control | PCI-DSS Req | What It Checks |
|---|---|---|
| SEC-001 | Req 4.1 | TLS encryption on all listeners |
| SEC-002 | Req 8.1 | SASL authentication enabled |
| SEC-004 | Req 7.1 | ACL authorization configured |
| SEC-005 | Req 4.1 | SSL certificate validity |
| REL-001 | Req 10.5 | Replication for data integrity |
Generating Audit-Ready Reports
The PDF report includes:
- Executive summary with compliance score
- PCI-DSS requirement mapping for every finding
- Remediation steps with CLI commands
- Evidence data from the cluster
Hand this directly to your auditor.