Please refer to our Compliance Guidance page for an overview of our compliance program, including security & compensating controls, and a general allocation of responsibility.
Payment Card Industry (PCI) Data Security Standards (DSS) is a set of network security and business best practice guidelines that establish a “minimum security standard” to protect payment card information. While Platform.sh does not handle credit cards, many of our customers do.
Platform.sh undergoes an annual third-party audit to maintain PCI DSS recertification. Please note, however, that the OVH-FR-2 region is excluded from our PCI certification.
Cardholder processing activity is discouraged. Please use a third-party processor.
Customers who want to run PCI workloads on Platform.sh must agree to and implement the measures contained in the Platform.sh PCI Responsibility Matrix (Excel). This document provides guidance on shared responsibilities to achieve PCI DSS compliance using PCI DSS 3.2 as a reference.
While Platform.sh provides a secure and PCI compliant infrastructure, the customer is responsible for ensuring that the environment and applications that they host on Platform.sh are properly configured and secured according to PCI requirements. Failure to do so will result in a non-compliant customer environment.