PCI compliance

Refer to our Compliance Guidance for an overview of our compliance program, including security & compensating controls, and a general allocation of responsibility.


Payment Card Industry (PCI) Data Security Standards (DSS) is a set of network security and business best practice guidelines that establish a “minimum security standard” to protect payment card information. While Platform.sh doesn’t handle credit cards, many of our customers do.

Platform.sh undergoes an annual third-party audit to maintain PCI DSS recertification. Note that the FR-1 and FR-3 regions are excluded from our PCI certification.


Customers who want to run PCI workloads on Platform.sh must agree to and implement the measures contained in the Platform.sh PCI Responsibility Matrix (Excel). This document provides guidance on shared responsibilities to achieve PCI DSS compliance using PCI DSS 3.2 as a reference.

While Platform.sh provides a secure and PCI compliant infrastructure, the customer is responsible for ensuring that the environment and applications that they host on Platform.sh are properly configured and secured according to PCI requirements. Failure to do so will result in a non-compliant customer environment.