cockroachdb · jhlodin · Jul 7, 2025 · Jul 3, 2025 · Jul 3, 2025 · Jul 7, 2025
diff --git a/src/current/cockroachcloud/compliance.md b/src/current/cockroachcloud/compliance.md
@@ -15,7 +15,7 @@ CockroachDB {{ site.data.products.cloud }} meets or exceeds the requirements of
 
 ## PCI DSS
 
-CockroachDB {{ site.data.products.advanced }} has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. When configured appropriately, CockroachDB {{ site.data.products.advanced }} meets the requirements of PCI DSS 3.2.1. PCI DSS is mandated by credit card issuers but administered by the [Payment Card Industry Security Standards Council](https://www.pcisecuritystandards.org/). Many organizations that do not store cardholder data still rely on compliance with PCI DSS to help protect other sensitive or confidential data or metadata.
+CockroachDB {{ site.data.products.advanced }} has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. When configured appropriately, CockroachDB {{ site.data.products.advanced }} meets the requirements of PCI DSS 4.0. PCI DSS is mandated by credit card issuers but administered by the [Payment Card Industry Security Standards Council](https://www.pcisecuritystandards.org/). Many organizations that do not store cardholder data still rely on compliance with PCI DSS to help protect other sensitive or confidential data or metadata.
 
 Features to support PCI DSS are not yet available on Azure.
 

diff --git a/src/current/cockroachcloud/egress-perimeter-controls.md b/src/current/cockroachcloud/egress-perimeter-controls.md
@@ -35,7 +35,7 @@ Regardless of user-specific Egress Perimeter Control policy, egress is always pe
 ## Before you begin
 
 - Egress Perimeter Controls are supported on AWS and GCP for the following deployment types:
-    - CockroachDB {{ site.data.products.advanced }} clusters with [enhanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features).
+    - CockroachDB {{ site.data.products.advanced }} clusters with [advanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features).
     - CockroachDB {{ site.data.products.advanced }} [Private Clusters]({% link cockroachcloud/private-clusters.md %}).
 
     Egress Perimeter Controls are not supported for CockroachDB {{ site.data.products.advanced }} on Azure.

diff --git a/src/current/cockroachcloud/insights-page.md b/src/current/cockroachcloud/insights-page.md
@@ -23,4 +23,4 @@ Viewing the insights page requires the [Cluster Admin]({% link cockroachcloud/au
 
 - [Statements page]({% link cockroachcloud/statements-page.md %})
 - [Transactions page]({% link cockroachcloud/transactions-page.md %})
-- [Databases page]({% link cockroachcloud/databases-page.md %})
+- [Databases page]({% link cockroachcloud/databases-page.md %})
diff --git a/src/current/cockroachcloud/pci-dss.md b/src/current/cockroachcloud/pci-dss.md
@@ -24,7 +24,7 @@ Features to support PCI DSS are not yet available on Azure. Refer to [CockroachD
 
 ## Overview of PCI DSS
 
-When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's [PCI DSS Quick Reference Guide, version 3.2.1](https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf), summarizes the goals and requirements of PCI DSS.
+When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's [PCI DSS Quick Reference Guide, version 4.x](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI-DSS-v4_x-QRG.pdf), summarizes the goals and requirements of PCI DSS.
 
 <table>
 <tgroup cols="2">
@@ -38,31 +38,31 @@ When a system complies with PCI DSS, the system meets the goals of the standard
 <tr>
   <td>Build and maintain a secure network and systems.</td>
   <td><ol>
-          <li>Install and maintain a firewall configuration to protect cardholder data.</li>
-          <li>Do not use vendor-supplied defaults for system passwords and other security parameters.</li>
+          <li>Install and maintain network security controls.</li>
+          <li>Apply secure configurations to all system components.</li>
       </ol>
   </td>
 </tr>
 <tr>
-  <td>Protect cardholder data.</td>
+  <td>Protect account data.</td>
   <td><ol start="3">
-        <li>Protect stored cardholder data.</li>
-        <li>Encrypt transmission of cardholder data across open, public networks.</li>
+        <li>Protect stored account data.</li>
+        <li>Protect cardholder data with strong cryptography during transmission over open, public networkss.</li>
       </ol>
   </td>
 </tr>
 <tr>
   <td>Maintain a vulnerability management program.</td>
   <td><ol start="5">
-        <li>Protect all systems against malware and regularly update antivirus software or programs.</li>
+        <li>Protect all systems and networks from malicious software.</li>
         <li>Develop and maintain secure systems and applications.</li>
       </ol>
   </td>
 </tr>
 <tr>
   <td>Implement strong access control measures.</td>
   <td><ol start="7">
-        <li>Restrict access to cardholder data by business need to know.</li>
+        <li>Restrict access to system components and cardholder data by business need to know.</li>
         <li>Identify and authenticate access to system components.</li>
         <li>Restrict physical access to cardholder data.</li>
       </ol>
@@ -71,37 +71,36 @@ When a system complies with PCI DSS, the system meets the goals of the standard
 <tr>
   <td>Regularly monitor and test networks.</td>
   <td><ol start="10">
-        <li>Track and monitor all access to network resources and cardholder data.</li>
-        <li>Regularly test security systems and processes.</li>
+        <li>Log and monitor all access to system components and cardholder data.</li>
+        <li>Test security of systems and networks regularly.</li>
       </ol>
   </td>
 </tr>
 <tr>
   <td>Maintain an information security policy.</td>
   <td><ol start="12">
-        <li>Maintain a policy that addresses information security for all personnel.</li>
+        <li>Support information security with organizational policies and programs.</li>
   </td>
 </tr>
 </tbody>
 </tgroup>
 </table>
 
-CockroachDB {{ site.data.products.advanced }} is certified by a PCI QSA to be compliant with [PCI DSS 3.2.1](https://listings.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf) within the DBaaS platform. Customers are still responsible to ensure that their applications are PCI DSS compliant. Customers may need to take the additional actions outlined in [Responsibilities of the customer](#responsibilities-of-the-customer) to maintain their own PCI compliance when using CockroachDB {{ site.data.products.advanced }} clusters for cardholder data or other sensitive data.
+CockroachDB {{ site.data.products.advanced }} is certified by a PCI QSA to be compliant with [PCI DSS 4.0](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Reporting%20Template%20or%20Form/PCI-DSS-v4-0-1-ROC-AOC-Merchants.pdf) within the DBaaS platform. Customers are still responsible to ensure that their applications are PCI DSS compliant. Customers may need to take the additional actions outlined in [Responsibilities of the customer](#responsibilities-of-the-customer) to maintain their own PCI compliance when using CockroachDB {{ site.data.products.advanced }} clusters for cardholder data or other sensitive data.
 
 ## Responsibilities of Cockroach Labs
 
-Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment for CockroachDB {{ site.data.products.advanced }} clusters meet or exceed the requirements of PCI DSS 3.2.1. Some of these actions include:
+Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment for CockroachDB {{ site.data.products.advanced }} clusters meet or exceed the requirements of PCI DSS 4.0. Some of these actions include:
 
 - Enforcing comprehensive security policies and standards.
 - Providing periodic security training for all Cockroach Labs employees.
 - Hardening our operating environments and networks according to industry standards and recommended practices, to ensure that they are secure and resilient against vulnerabilities and attacks.
 - Encrypting cluster data and metadata at rest and in transit.
-- Regularly scanning our environment using tools designated by PCI as [Approved Scanning Vendors (ASVs)](https://www.pcidssguide.com/what-is-a-pci-approved-scanning-vendor-asv/) to ensure our continued compliance with PCI DSS 3.2.1, and correcting issues as quickly as possible.
-- Regularly scanning our environment and software for known security vulnerabilities and applying updates and security patches in a timely manner.
+- Regularly scanning our environment using tools designated by PCI as [Approved Scanning Vendors (ASVs)](https://www.pcidssguide.com/what-is-a-pci-approved-scanning-vendor-asv/) to ensure our continued compliance with PCI DSS 4.0, by correcting issues and patching known security vulnerabilities as quickly as possible.
 - Implementing [data loss prevention (DLP)](https://pcidss.com/listing-category/data-loss-protection-dlp).
 - [Logging]({% link cockroachcloud/cloud-org-audit-logs.md %}) cluster actions and events, redacting sensitive information in audit logs, and retaining audit logs according to the [PCI DSS logging requirements](https://listings.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf).
 
-A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 3.2.1 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
+A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 4.0 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
 
 Compliance is a shared responsibility. Be sure to read [Responsibilities of the customer](#responsibilities-of-the-customer) to support you in maintaining your own PCI DSS compliance within your cluster.
 
@@ -113,24 +112,22 @@ It is the customer’s responsibility to know what is required for your complian
 
 A CockroachDB {{ site.data.products.advanced }} cluster must have the following features enabled to be used in a PCI DSS compliant manner:
 
-- The cluster must be created as a CockroachDB {{ site.data.products.advanced }} [private cluster]({% link cockroachcloud/private-clusters.md %}). A private cluster's nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing cluster cannot be migrated to be a private cluster.
-- The cluster must be created with [enhanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}). Enhanced security features cannot be changed after the cluster is created.
+- The cluster must be created as a CockroachDB {{ site.data.products.advanced }} cluster with [advanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features) enabled. This configures the cluster such that its nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing {{ site.data.products.advanced }} cluster without advanced security features cannot be migrated into an {{ site.data.products.advanced }} cluster with advanced security, and vice-versa.
 - Single Sign-On (SSO) helps you avoid storing user passwords in CockroachDB {{ site.data.products.cloud }}:
 
     - [Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %}) allows members of your CockroachDB {{ site.data.products.cloud }} organization to authenticate to CockroachDB {{ site.data.products.cloud }} using an identity from an identity provider (IdP). This integration can be done using SAML or OIDC.
     - [Cluster SSO]({% link cockroachcloud/cloud-sso-sql.md %}) allows users to access the SQL interface of a CockroachDB cluster (whether provisioned on CockroachDB {{ site.data.products.cloud }} or self-hosted) with the full security of SSO, and the convenience of being able to choose from a variety of SSO identity providers, including CockroachDB {{ site.data.products.cloud }}, Google, Azure, GitHub, or your own self-hosted OIDC.
 
-- Enable [Customer-Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}), which allow you to protect data at rest in a CockroachDB {{ site.data.products.dedicated }} cluster using a cryptographic key that is entirely within your control, hosted in a supported key-management system (KMS) platform. It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
+- Enable [Customer-Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}), which allow you to protect data at rest in a CockroachDB {{ site.data.products.advanced }} cluster using a cryptographic key that is entirely within your control, hosted in a supported key-management system (KMS) platform. It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
 - Enable [Egress Perimeter Controls]({% link cockroachcloud/egress-perimeter-controls.md %}), which ensure that cluster egress operations, such as [self-managed cluster backups]({% link cockroachcloud/take-and-restore-self-managed-backups.md %}) or [change data capture]({% link {{ site.current_cloud_version }}/change-data-capture-overview.md %}), are restricted to a list of specified external destinations.
-- [Cluster log exports]({% link cockroachcloud/export-logs.md %}) must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of Amazon CloudWatch or GCP Cloud Logging.
+- Use [cluster log exports]({% link cockroachcloud/export-logs-advanced.md %}) to automatically capture detailed information about queries being executed in your cluster. You must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of Amazon CloudWatch or GCP Cloud Logging. (Refer to the `redact` setting under [Enable log export]({% link cockroachcloud/export-logs-advanced.md %}#enable-log-export).)
 - [Cloud Organization audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) automatically capture information when many types of events occur in your CockroachDB {{ site.data.products.cloud }} organization, such as when a cluster is created or when a member is added to or removed from an organization. You can export your CockroachDB {{ site.data.products.cloud }} organization's audit logs to analyze usage patterns and investigate security incidents.
-- [Cluster audit log export]({% link cockroachcloud/export-logs.md %}) automatically capture detailed information about queries being executed in your cluster.
 
 Cockroach Labs cannot provide specific advice about ensuring end-to-end compliance of your overall system with PCI DSS or how to implement a specific requirement across all operating environments. The following are additional guidelines for a cluster to be used in a PCI DSS compliant manner:
 
 - Before you insert cardholder data into the cluster, protect it by a combination of encryption, hashing, masking, and truncation. For an example implementation, refer to [Integrate CockroachDB {{ site.data.products.advanced }} with Satori]({% link {{ site.current_cloud_version }}/satori-integration.md %}).
 - The cryptographic materials used to protect cardholder data must themselves be protected at rest and in transit, and access to the unencrypted key materials must be strictly limited only to approved individuals.
-- Within the cluster, restrict access to cardholder data on a “need to know basis” basis. Access to tables and views in the cluster that contain cardholder data must be restricted, and you are responsible to regularly test for compliance. Refer to [Authorization]({% link {{ site.current_cloud_version }}/authorization.md %}).
+- Within the cluster, restrict access to cardholder data in a manner consistent with the [principle of least privilege](https://wikipedia.org/wiki/Principle_of_least_privilege). Access to tables and views in the cluster that contain cardholder data must be restricted, and you are responsible to regularly test for compliance. Refer to [Authorization]({% link {{ site.current_cloud_version }}/authorization.md %}).
 - Protect networks that transmit cardholder data from malicious access over the public internet, and regularly test for compliance. For more information about protecting the cluster’s networks, refer to [Network Authorization]({% link cockroachcloud/network-authorization.md %}).
 - Important security and stability updates are applied regularly and automatically to CockroachDB {{ site.data.products.advanced }} clusters. These updates include, but are not limited to, the cluster’s CockroachDB runtime, the operating systems of cluster nodes, APIs, and management utilities. Customers are notified about upcoming cluster maintenance before it happens, when it starts, and when it completes.
 - If your cluster is part of a solution that includes external systems and applications that store or process cardholder data, it is your responsibility to ensure that these systems and applications, as well as their dependencies, are compliant with PCI DSS. You are responsible for regularly testing these systems and applications for known vulnerabilities and compliance violations and regularly applying updates and mitigations.

diff --git a/src/current/cockroachcloud/private-clusters.md b/src/current/cockroachcloud/private-clusters.md
@@ -13,7 +13,7 @@ By default, CockroachDB {{ site.data.products.cloud }} has safeguards in place t
 - Ingress traffic to a cluster is routed through a load balancer, and it is possible to restrict inbound connections using a combination of [IP allowlisting]({% link cockroachcloud/network-authorization.md %}#ip-allowlisting) and [private connectivity]({% link cockroachcloud/connect-to-your-cluster.md %}#establish-private-connectivity).
 - Egress traffic from a cluster, such as [exports]({% link {{ site.current_cloud_version }}/export.md %}), [backups]({% link {{ site.current_cloud_version }}/backup.md %}), and [Change Data Capture (CDC)]({% link {{ site.current_cloud_version }}/change-data-capture-overview.md %}), use public subnets by default.
 
-A CockroachDB {{ site.data.products.advanced }} cluster with [enhanced security features enabled]({% link cockroachcloud/create-an-advanced-cluster.md %}) is a _private cluster_. Its nodes have no public IP addresses, and egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster.
+A CockroachDB {{ site.data.products.advanced }} cluster with [advanced security features enabled]({% link cockroachcloud/create-an-advanced-cluster.md %}) is a _private cluster_. Its nodes have no public IP addresses, and egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster.
 
 A private cluster has one private network per cluster region, and each node is connected to the private network for its region. A NAT gateway is connected to each private network and provides a static egress public IP address.
 
@@ -28,7 +28,7 @@ Private clusters are not available for [CockroachDB {{ site.data.products.advanc
 ## Create a private cluster
 
 On GCP, new CockroachDB {{ site.data.products.advanced }} clusters are private by default.
-On AWS, newly CockroachDB {{ site.data.products.advanced }} with enhanced security features clusters deployed on AWS are private by default.
+On AWS, newly CockroachDB {{ site.data.products.advanced }} with advanced security features clusters deployed on AWS are private by default.
 
 Creation of private clusters, as well as {{ site.data.products.cloud }} clusters in general, requires the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator) role.