Framework: PCI DSS v4
Okta backup and disaster recovery for PCI DSS
PCI DSS v4 expects the identity layer governing cardholder-data environment access to be both restricted and recoverable. Butterfly is the recovery layer for that identity layer.
Scope
In-scope control families
- Requirement 7 — Restrict access by business need to know
- Requirement 8 — Identify and authenticate access
- Requirement 12.10 — Incident response
Coverage mapping
How Butterfly maps to PCI DSS v4
Req 7.2.4 — Periodic access reviews
Point-in-time backups make access reviews diffable against any prior state.
Req 8.3.6 — MFA controls for CDE access
Authentication-policy backup captures MFA posture; restore preview shows changes before apply.
Req 12.10.1 — Documented incident response
Audit Pack PDF documents identity-layer state at any timeline point for incident retrospectives.
FAQ
Is Butterfly itself in PCI scope?
Butterfly handles Okta configuration data only — no cardholder data passes through Butterfly. The Trust Center documents data flow for QSA review.
Does Butterfly help with PCI access-review evidence?
Yes. Every snapshot is itself a point-in-time evidence pack. The Audit Pack PDF surfaces it in PCI-filterable form.
Will you sign a PCI attestation?
Butterfly is not a Level 1 service provider. We can support customers whose Okta tenant is part of their own PCI scope; data flow is in the Trust Center.
Other frameworks