Cloudflare and PCI Compliance

What is PCI compliance?

The PCI Security Standards Council created the Payment Card Industry Data Security Standard (PCI DSS) framework to “ensure the safe handling of cardholder information at every step".

Is Cloudflare PCI compliant?

Yes. Cloudflare completed a Payment Card Industry (PCI) Data Security Standard (DSS) 2.0 security control assessment, and we have been certified by a third party Qualified Security Assessor (QSA) as a Level 1 Service Provider.

What level of PCI compliance is Cloudflare?

We are compliant as a Level 1 Service Provider.

Does Cloudflare manage the PCI compliance for my site?

No. However, Cloudflare can assist you in meeting PCI DSS 2.0 and 3.0 Requirement 6.6 with use of our Web Application Firewall (WAF).

How do I make my website PCI compliant?

The PCI Security Standards Council provides an overview of the Data Security Standards and tools to assist you in validating your PCI compliance.

Where can I find the PCI DSS standards?

The PCI DSS standard is available in the PCI Standards Council Documents Library.

How do I fix a PCI scan error or a reported vulnerability?

If the PCI scan error or reported vulnerability is in reference to the use of Cloudflare services (including the WAF), please contact our support team. Many times, warnings in scans are the result of a false positive and documentation can remove them from your report. We will work with you and your Approved Scanning Vendor (ASV) to review your vulnerability report and remediate false positives.

Which vendors offer PCI scanning or certification services?

Depending on whether you require a PCI Approved Scanning Vendor and/or PCI Qualified Security Assessor, the PCI Security Council’s website maintains a list of all approved companies and providers:
- ASV: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
- QSA: https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php

Where can I find more information about Cloudflare and PCI compliance?

We have written a detailed blog post about our PCI compliant status. You can read more here: https://blog.cloudflare.com/cloudflare-is-now-pci-3-1-certified/

Will you talk to our QSA or ASV?

Yes, we can talk to your QSA (qualified security assessor) or ASV (approved scanning vendor).

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk