Platform.sh is compliant with PCI DSS Level 1

Joey Stanford
Joey Stanford
Security, Compliance and Data Protection Officer
12 May 2020

Platform.sh has recently completed audits of our processes to ensure compliance with Payment Card Industry, Data Security Standard (PCI DSS) Compliance Level 1. This means our systems and processes have passed the highest level of evaluation by third-party auditors to ensure the security of payment card data.

What PCI DSS means for Platform.sh customers

This certification enables Platform.sh customers to certify their PCI DSS Level 1 e-commerce applications based on any technology Platform.sh supports, including Magento, WooCommerce, Drupal Commerce and many others.

The completed PCI audit is the latest of our efforts to ensure the highest levels of security for our customers. It joins our existing SOC 2 Type 2 certification and our compliance with the European GDPR, German BDSG, Canadian PIPEDA, and the Australian Privacy Act.

While Platform.sh provides key layers of security for all customers, the certification of a particular customer application requires individual audits. Platform.sh has recently introduced the Elite tier of service to offer assistance with such audits.

For complete details on customer and Platform.sh responsibilities, please see our documentation.

The unique approach to PCI DSS at Platform.sh

In addition to rigorous processes governing the management of our infrastructure, Platform.sh has developed new technologies to help ensure compliance and security for our customers who need to audit their applications for PCI DSS.

We have developed a customer-configurable outbound firewall enabled through Platform.sh configuration files. This allows customers to limit IP addresses that their application can connect to specific addresses or ranges.

We have also developed a proprietary container-aware anti-malware and file integrity monitoring solution. This system allows for real-time detection of attempted malicious behavior that violates our containment model. Our 24x7 security response team is alerted to suspicious behaviors.

Running PCI DSS Level 1 audited applications on Platform.sh

Our internal auditing procedures, security and operational processes, and technology approach are shared across all customer instances and product tiers. However, assistance with customers’ own auditing process requires the Elite tier of Platform.sh service. For details on getting started, customers can contact their account manager or the Platform.sh sales team.