Cloudflare and PCI Compliance

What is PCI compliance?

The PCI Security Standards Council created the Payment Card Industry Data Security Standard (PCI DSS) framework to “ensure the safe handling of cardholder information at every step".

Is Cloudflare PCI compliant?

Yes. Cloudflare completed a Payment Card Industry (PCI) Data Security Standard (DSS) 2.0 security control assessment, and we have been certified by a third party Qualified Security Assessor (QSA) as a Level 1 Service Provider.

What level of PCI compliance is Cloudflare?

We are compliant as a Level 1 Service Provider.

Does Cloudflare manage the PCI compliance for my site?

No. However, Cloudflare can assist you in meeting PCI DSS 2.0 and 3.0 Requirement 6.6 with use of our Web Application Firewall (WAF).

How do I make my website PCI compliant?

The PCI Security Standards Council provides an overview of the Data Security Standards and tools to assist you in validating your PCI compliance.

Cloudflare Enterprise and Business plans can meet PCI DSS 3.2 standards through the use of Cloudflare Web Application Firewall and Cloudflare SSL certificates.

Where can I find the PCI DSS standards?

The PCI DSS standard is available in the PCI Standards Council Documents Library.

How do I fix a PCI scan error or a reported vulnerability?

If the PCI scan error or reported vulnerability is in reference to the use of Cloudflare services (including the WAF), please contact our support team. Many times, warnings in scans are the result of a false positive and documentation can remove them from your report. We will work with you and your Approved Scanning Vendor (ASV) to review your vulnerability report and remediate false positives.

Which vendors offer PCI scanning or certification services?

Depending on whether you require a PCI Approved Scanning Vendor and/or PCI Qualified Security Assessor, the PCI Security Council’s website maintains a list of all approved companies and providers:
- ASV:
- QSA:

Where can I find more information about Cloudflare and PCI compliance?

We have written a detailed blog post about our PCI compliant status. You can read more here:

Will you communicate with our QSA or ASV?

Yes, we can provide written confirmation of false positives with you to be shared with your QSA (qualified security assessor) or ASV (approved scanning vendor) when on Business or Enterprise plans.

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk