Today we are very happy to announce that Volterra is able to serve its customers with PCI DSS Level 1 compliant services. Our entire team has achieved a tremendous amount of work over the past few months to deliver this capability.
By complying with PCI’s rigorous standard, customers using Volterra’s services to run mission-critical applications can be assured that our security is maintained to the highest level and validated independently.
This blog post provides more details on what PCI DSS is and how it benefits our customers.
What is PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to increase controls around cardholder data to reduce payment card fraud.
The standard is administered by the PCI SSC (Payment Card Industry Security Standards Council), which was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc.
The standard applies to any organization that stores, transmits or accepts cardholder data.
PCI DSS certification levels and requirements
There are four levels of PCI DSS compliance which are determined by the number of transactions the organisation handles each year and the level of risk assessed by payment brands.
Volterra is now Level 1 certified — this is the highest and most stringent level, allowing us to process more than 6 million transactions annually.
Level 1 assessment consists of an external and independent audit performed annually by a QSA (Qualified Security Assessor).
The PCI DSS specifies 12 requirements that are organised into 6 control objectives and contain more than 250 items to cover.
Which Volterra services are covered by the PCI DSS certification
Volterra’s distributed cloud services platform includes network and application layer security, as well as distributed denial of service (DDoS) protection for online enterprises. In the PCI DSS certification process, the entire Volterra global infrastructure has been audited (VoltConsole, Volterra Control Plane and all data centers) as well as our security policies, software development processes, etc.
The PCI DSS objective is to protect cardholder data, therefore Volterra’s certification focused on our VoltMesh service. Volterra does not process nor store cardholder data in any manner since VoltMesh acts as a reverse proxy between customers’ origin servers (merchant or payment service provider) and end consumers. Volterra treats all communication from the end consumer (which could potentially include PAN (primary account number), security code, and expiration date) to the origin server as opaque data; it does not know if the data includes cardholder data or not, and does not apply any special treatment for cardholder data vs. not. Volterra’s Level1 certification ensures that any action performed on customer traffic by Volterra global infrastructure complies with PCI DSS requirements.
Benefits for our customers
Volterra provides distributed cloud services enabling clients to deliver applications and services quickly and securely. By complying to the arduous requirements of PCI DSS, we are providing to all our customers an independent and industry-accepted security review of our processes, policies, infrastructure, and software development methodology.
For e-commerce merchants, PSP (payment service providers) and more generally any customer that stores, transmits, or accepts cardholder data, Volterra Level 1 certification will greatly facilitate their own PCI DSS compliance. Furthermore by providing a web application firewall (WAF), Volterra’s VoltMesh service will help customers to meet PCI requirement 6.6.
What’s next?
We already started the AICPA SOC 2 Type II certification process to attest that security, confidentiality and availability controls are in place in accordance to the AICPA Trust Service Criteria.
If you have any questions related to PCI DSS or Volterra’s compliance program, feel free to reach out — Volterra’s Attestation of Compliance (AOC) is available upon request.
About the Author
Related Blog Posts
SaaS-first strategies reshape cloud-native application delivery
F5 NGINXaaS empowers cloud and platform architects to unify operations, reduce complexity, and deliver exceptional digital experiences at scale.
F5 ADSP Partner Program streamlines adoption of F5 platform
The new F5 ADSP Partner Program creates a dynamic ecosystem that drives growth and success for our partners and customers.
Accelerate Kubernetes and AI workloads with F5 BIG-IP and AWS EKS
The F5 BIG-IP Next for Kubernetes software will soon be available in AWS Marketplace to accelerate managed Kubernetes performance on AWS EKS.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.