Private Internet Access (PIA) is not PCI DSS compliant. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from major card schemes, including Visa and Mastercard. The PCI standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
Understanding Requirement 10
Under Requirement 10 of the PCI DSS, an entity must "Regularly Monitor and Test Networks." This specifically involves tracking and monitoring all access to network resources and cardholder data.
The PCI DSS guidelines state:
"Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting and minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs."
Data Retention and the Conflict With No-Logs
PCI guidelines regarding data retention require that access/activity logs and protected information documentation—proving the covered entity is adhering to the PCI DSS rule—be retained for one year.
In the event that a breach occurs or is alleged to have occurred, an entity must be able to prove it followed all facets of PCI DSS. The standard requires that internal audits of this data be performed regularly. Furthermore, PCI DSS requires that the covered entity be able to produce this information when subpoenaed.
Because PIA maintains a strict no-logs policy, we cannot provide the information required by PCI DSS if subpoenaed. Consequently, PIA cannot comply with PCI DSS requirements and cannot provide VPN services for PCI-compliant operations.