We are ready to serve PCI DSS Level 1 compliant service

Today we are very happy to announce that Volterra is able to serve its customers with PCI DSS Level 1 compliant services. Our entire team has achieved a tremendous amount of work over the past few months to deliver this capability.

By complying with PCI’s rigorous standard, customers using Volterra’s services to run mission-critical applications can be assured that our security is maintained to the highest level and validated independently.

This blog post provides more details on what PCI DSS is and how it benefits our customers.

What is PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to increase controls around cardholder data to reduce payment card fraud.

The standard is administered by the PCI SSC (Payment Card Industry Security Standards Council), which was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc.

The standard applies to any organization that stores, transmits or accepts cardholder data.

PCI DSS certification levels and requirements

There are four levels of PCI DSS compliance which are determined by the number of transactions the organisation handles each year and the level of risk assessed by payment brands.

Volterra is now Level 1 certified — this is the highest and most stringent level, allowing us to process more than 6 million transactions annually.

Level 1 assessment consists of an external and independent audit performed annually by a QSA (Qualified Security Assessor).

The PCI DSS specifies 12 requirements that are organised into 6 control objectives and contain more than 250 items to cover.

Which Volterra services are covered by the PCI DSS certification

Volterra’s distributed cloud services platform includes network and application layer security, as well as distributed denial of service (DDoS) protection for online enterprises. In the PCI DSS certification process, the entire Volterra global infrastructure has been audited (VoltConsole, Volterra Control Plane and all data centers) as well as our security policies, software development processes, etc.

The PCI DSS objective is to protect cardholder data, therefore Volterra’s certification focused on our VoltMesh service. Volterra does not process nor store cardholder data in any manner since VoltMesh acts as a reverse proxy between customers’ origin servers (merchant or payment service provider) and end consumers. Volterra treats all communication from the end consumer (which could potentially include PAN (primary account number), security code, and expiration date) to the origin server as opaque data; it does not know if the data includes cardholder data or not, and does not apply any special treatment for cardholder data vs. not. Volterra’s Level1 certification ensures that any action performed on customer traffic by Volterra global infrastructure complies with PCI DSS requirements.

Benefits for our customers

Volterra provides distributed cloud services enabling clients to deliver applications and services quickly and securely. By complying to the arduous requirements of PCI DSS, we are providing to all our customers an independent and industry-accepted security review of our processes, policies, infrastructure, and software development methodology.

For e-commerce merchants, PSP (payment service providers) and more generally any customer that stores, transmits, or accepts cardholder data, Volterra Level 1 certification will greatly facilitate their own PCI DSS compliance. Furthermore by providing a web application firewall (WAF), Volterra’s VoltMesh service will help customers to meet PCI requirement 6.6.

What’s next?

We already started the AICPA SOC 2 Type II certification process to attest that security, confidentiality and availability controls are in place in accordance to the AICPA Trust Service Criteria.

If you have any questions related to PCI DSS or Volterra’s compliance program, feel free to reach out — Volterra’s Attestation of Compliance (AOC) is available upon request.