July 10, 2025

Keep Payment and Cardholder Data Secure with PCI-DSS Compliance for Tableau Cloud

Tableau Cloud is now PCI-DSS compliant, ensuring companies can securely handle cardholder data and build trust.

In today's digital landscape, businesses increasingly rely on cloud solutions, often involving sensitive information, including payment card data. This achievement means that Tableau Cloud not only empowers organizations in the financial services industry to leverage their data effectively but also enhances our existing robust security and compliance built into Tableau Cloud.

Tableau Cloud has achieved Payment Card Industry Data Security Standard (PCI-DSS) 4.0 compliance, reinforcing our unwavering commitment to security and ensuring your sensitive payment card data is always protected.

What is PCI-DSS and How Does it Impact Tableau Cloud?

The Payment Card Industry Data Security Standard (PCI-DSS) is a globally recognized set of security standards. Its purpose is to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. For businesses handling customer payments or financial data, PCI-DSS compliance is crucial for safeguarding cardholder data and maintaining customer trust.

Tableau Cloud plays a vital role as a "service provider" in the PCI-DSS ecosystem, supporting payment processing for other companies. Our customers can now operate with even greater assurance knowing that their data environment within Tableau Cloud meets these rigorous standards.

Tableau Cloud's Commitment to Top-Tier Security

As part of our PCI-DSS compliance, we're proud to share that Tableau Cloud is a Level 1 service provider under PCI-DSS. This is the highest level of compliance, signifying that we meet all 12 technical and organizational controls of PCI-DSS.

To meet this standard, Tableau performs rigorous testing and validation, including:

  • An annual on-site assessment and Report on Compliance (ROC) by a Qualified Security Assessor (QSA).
  • Quarterly network scans by an Approved Scanning Vendor (ASV) to identify and address any vulnerabilities.
  • An Attestation of Compliance (AOC) signed by a senior executive, confirming our adherence to the standards.

Furthermore, Tableau Cloud operates on AWS's Infrastructure as a Service (IaaS) platform and Salesforce’s Hyperforce, both of which are themselves PCI-DSS Level 1 compliant. This means our foundational infrastructure is built on a bedrock of security, with AWS responsible for securing the data centers and physical controls.

The Shared Responsibility Model: A Partnership in Security

Tableau’s PCI-DSS compliance is built on the foundational principle of a Shared Responsibility Model. As the cloud service provider, Tableau Cloud manages the underlying infrastructure and platform, securing areas like network firewalls, data encryption at rest and in transit, vulnerability management, patching, and system activity logging. Conversely, our customers are responsible for securing their own application settings, data, and usage of the service through configurations of secure access, encrypting data during transmission to and from Tableau Cloud, monitoring user activity, and securing any custom integrations.

A Venn diagram titled "Shared Responsibility Model in PCI DSS: Ensuring Compliance Together

It is crucial that customers uphold their responsibility under this model for the environment to be fully PCI-DSS compliant. 

To that end, Tableau provides a bevy of tools that can help customers uphold their compliance requirements under the shared responsibility model:

  • Customer-Managed Encryption Key (CMEK): This critical feature allows customers to encrypt site data extracts with their own customer-managed, site-specific key.
  • Tableau Bridge: Securely connect Tableau Cloud to private network data, including on-premises databases or private cloud data, using HTTPS and WebSockets for reliable, encrypted communication.
  • Activity Log: Gain comprehensive visibility into detailed log events, sent directly to your own Amazon S3 bucket. This enables in-depth analysis, auditing, and monitoring of site activities and permission changes, crucial for compliance.
  • Robust Access Controls: Tableau Cloud offers a variety of features to ensure only authorized users access your data, including:
    • Multi-Factor Authentication (MFA) for strong verification.
    • Single Sign-On (SSO) for streamlined and consistent authentication.
    • SCIM for automated user provisioning and de-provisioning.
    • User Role/Permission Control to enforce the principle of least privilege.
    • Data Access Control and Row-Level Security (RLS) to restrict data visibility based on user identity.

A diagram titled "The Shared Responsibility Model, Layered Approach" illustrates the division of security responsibilities between Customer, Tableau, and AWS.

Key Considerations for Shared Responsibility

Furthermore, in addition to customer responsibilities, it is important to call out the limitations around Tableau’s current PCI-DSS implementation. These limitations must be taken into account by customers as part of their Tableau Cloud implementation in order to be covered by Tableau’s PCI-DSS compliance:

  • Customers must use CMEK to encrypt their extracts.
  • Only data in the form of data extracts or live connections are supported for PCI-DSS compliance. Using embedded data sources like Excel or CSV files, which cannot be encrypted with CMEK, is not within the scope of this compliance.
  • Customers are required to use their own Identity Provider (IdP) for Single Sign-On (SSO).

Understanding these specific points helps ensure that customers can effectively leverage Tableau Cloud's PCI-DSS compliant environment while meeting their own compliance obligations.

Your Trusted Partner in Data Security

At Salesforce, trust is our number one value, a principle that guides everything we do. Tableau Cloud is engineered with security at its core, committed to protecting your sensitive cardholder data. Our comprehensive approach, spanning infrastructure security, robust encryption, and detailed logging, provides a resilient environment for your critical information.

We are dedicated to being your trusted partner on the journey toward compliance and data security. 

For more detailed information, please refer to the Tableau Cloud PCI-DSS Whitepaper, visit our Tableau compliance website and resources, or reach out to your Salesforce account executive.

Want to experience this level of security and compliance? Start a free trial of Tableau Cloud.