PCI DSS
Payment Card Industry Data Security Standard
SOC 2
System and Organization Controls 2, Type 1 and 2
ISO 27001
International Organization for Standardization, Security Management Controls
ISO 27018
International Organization for Standardization, Cloud Security Controls
ISO 27701
International Organization for Standardization, Privacy Management Controls
One way that Akamai demonstrates its commitment to ensuring the safety of ourselves, our customers, and internet end users around the world is by ensuring that we comply with a variety of global and regional information security compliance programs. A summary of these programs, with links to more resources, is available below.
Global
Regional
FedRAMP
The Federal Risk and Authorization Management Program, U.S. Government Cloud Service Provider Authorization
NIST
National Institute of Standards and Technology
HIPAA
Health Insurance Portability and Accountability Act, Protected Health Information
BSI
Bundesamt für Sicherheit in der Informationstechnik, Approved Critical Infrastructure Provider, Germany
IRAP
Infosec Registered Assessors Program, Australian Government Security Standards
PSD2
Payment Services Directive 2, European Open Banking Regulations
MAS
Monetary Authority of Singapore
PCI DSS Level 1
Overview
Payment Card Industry Data Security Standard (PCI DSS) compliance is required for any business that stores, processes, or transmits payment card data. Developed by the major credit card companies, the PCI DSS defines measures for ensuring data protection and consistent security processes and procedures around online financial transactions. As formulated by the PCI Security Standards Council, the mandate of PCI DSS compliance includes:
- Developing and maintaining a security policy that covers all aspects of the business
- Installing firewalls to protect data
- Encrypting cardholder data that is transmitted over public networks
- Using antivirus software and updating it regularly
- Establishing strong passwords and other cybersecurity protocols
- Enforcing rigid access controls and monitoring access to account data
For large merchants and service providers that process high volumes of online financial transactions, PCI DSS compliance is enforced by annual validations performed by an independent Qualified Security Assessor (QSA).
Resources
Akamai Certification
Akamai’s Attestation of Compliance (AoC) serves as evidence for our customers that our in-scope services are compliant with the PCI DSS v3.2.1 security standard.
In connection with our PCI DSS compliance, Akamai performs a quarterly third-party external penetration test of the Secure CDN with Enhanced TLS. Results of these quarterly penetration tests, and compliance documentation and/or certification, are available for customers under nondisclosure agreement (NDA).
Downloads / Links
- Attestation of Compliance
- Responsibility Matrix
- Akamai’s listing on the Visa Global Registry of Service Providers
- List of Mastercard Compliant Service Providers (including Akamai)
Applicable Akamai Services
- Secure CDN with Enhanced TLS (Secure CDN), and the services running on it
- Edge Delivery products such as Ion, API Acceleration, and Adaptive Media Delivery, when running on the Secure CDN
- EdgeWorkers, when running on the Secure CDN
- mPulse digital performance management services
- App and API security products such as App & API Protector, Account Protector, Kona Site Defender, and Bot Manager (Standard and Premier), when running on the Secure CDN
- Page Integrity Manager
- Secure Internet Access Enterprise (formerly known as Enterprise Threat Protector)
- Akamai MFA
Q&A
Is Akamai PCI DSS Certified?
Yes, Akamai is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment available. The PCI DSS Attestation of Compliance and Responsibility Matrix are publicly available.
If my website is using Akamai, how can I be sure that it is PCI DSS compliant?
Customers are responsible for their own PCI DSS certification and should engage a Qualified Security Assessor (QSA) to validate their controls and obtain certification. Customers and their QSAs may rely on Akamai’s Attestation of Compliance for the portion of their cardholder data environment to use Akamai’s PCI DSS compliant services. Akamai’s PCI DSS Responsibility Matrix spells out the responsibilities of Akamai and our customers with respect to each of the PCI DSS requirements. Your account team may provide you with our PCI DSS Customer Configuration Guide, which provides more details.
Is Akamai listed on the Visa Global Registry of Service Providers and the Mastercard Compliant Service Provider List?
Yes. Akamai is listed on the lists provided by both Visa and Mastercard. This shows that Akamai has met all applicable program requirements of these major payment card companies.
Can I review an executive summary of Akamai’s quarterly Approved Scanning Vendor (ASV) vulnerability scans and external penetration tests?
Yes. Your account team may provide this information subject to standard nondisclosure agreement (NDA).
SOC 2 Type 2
Overview
SOC (System and Organization Controls) is a security standard promulgated by the American Institute of Certified Public Accountants (AICPA) that reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization.
Resources
Akamai Certification
Akamai receives annual SOC 2 Type 2 reports, which demonstrate that our security controls are continuously audited over the course of the year.
Applicable Akamai Services
Akamai’s primary SOC 2 Type 2 report covers the Security and Availability Trust Services Criteria. The Akamai services in scope for this report are as follows:
- Secure CDN with Enhanced TLS
- Prolexic DDoS mitigation services
- Akamai Control Center customer portal
- Additional systems supporting access management, key management, and other infrastructural systems
The Akamai Intelligent Edge Platform comprises many different distributed systems that serve a variety of purposes, and support our various products and services. The Secure CDN with Enhanced TLS and the supporting systems covered by the report are the distributed servers and systems used to deliver and protect web properties that transit or process sensitive end-user information. Akamai services running on the Secure CDN with Enhanced TLS leverage all of the security and availability controls tested in the primary SOC 2 Type 2 report. Examples of such services that may run on the Secure CDN with Enhanced TLS include:
- Edge Delivery products such as Ion and Dynamic Site Delivery, when running on the Secure CDN with Enhanced TLS
- App and API security products such as App & API Protector, Kona Site Defender, Kona DDoS Defender, Web Application Protector, and Bot Manager Standard, when running on the Secure CDN with Enhanced TLS
Akamai has an additional SOC 2 Type 2 report covering the Security and Availability Trust Service Criteria with respect to the following solutions:
- Bot Manager Premier
- Account Protector
Akamai’s SOC 2 Type 2 report for the Guardicore services covers the Security, Availability, and Confidentiality Trust Services Criteria.
Akamai’s SOC 2 Type 2 report for the Akamai Identity Cloud service covers all five Trust Services Criteria.
Q&A
How do I get a copy of the SOC 2 report?
Your Akamai account team can provide you with a copy.
What regions are covered?
Akamai’s SOC 2 reports cover Akamai’s services as a whole, and are not limited to particular regions.
Do you have a bridge letter covering the period since the last covered period?
Your account team can provide you with a bridge letter covering the period since the last issued report.
Does Akamai have a certificate of SOC 2 compliance?
SOC 2 does not offer a certificate of compliance. Instead, qualified third-party assessors produce a report on compliance for the assessed organization, discussing its system description, scope, control descriptions for meeting common criteria, evidence, and suitability of the organization’s descriptions and evidence.
Why are there multiple SOC 2 reports for Akamai?
Akamai now has SOC 2 reports covering the Identity Cloud and Guardicore services. These services were a result of recent acquisitions by Akamai. Akamai has continued the existing SOC 2 reports from these services rather than incorporating them into the primary SOC 2 report.
Does Akamai have a SOC 1 report?
Akamai does not undergo a SOC 1 audit. The purpose of a SOC 1 report is to address a service provider’s internal controls that may impact their customers’ financial reporting. Akamai’s customers do not outsource to Akamai business processes that are critical to their financial reporting, so a SOC 1 audit is not relevant to the services that Akamai provides.
ISO/IEC 27001:2013
Overview
ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for organizations to manage their sensitive information and data in a secure manner, protecting it against unauthorized access, disclosure, destruction, or loss. The standard is risk-based and outlines a set of best practices, controls, and processes for ensuring information security. It is widely adopted by organizations around the world, and is often used as a benchmark for information security management.
Resources
Applicable Akamai Services
- Ion (when configured to run on Akamai’s Secure CDN with Enhanced TLS)
- Dynamic Site Accelerator (when configured to run on Akamai’s Secure CDN with Enhanced TLS)
- App & API Protector (when configured to run on Akamai’s Secure CDN with Enhanced TLS)
- Global Traffic Management
- Edge DNS
- Secure Internet Access Enterprise (formerly known as Enterprise Threat Protector)
- Akamai Control Center portal
- Guardicore Segmentation
- Akamai Identity Cloud
- SPS Secure Mobile*
- SPS Secure IoT*
- SPS Secure Edge*
* The SPS name was deprecated in June 2022, and SPS Secure Mobile was renamed Secure Internet Access Mobile. Secure IoT and Secure Edge were renamed as Private Access IoT and Private Access Edge.
Q&A
Why are there multiple ISO 27001 reports for Akamai?
In addition to the primary ISO 27001 certification, Akamai’s additional certifications arose out of Akamai’s acquisitions of Janrain, Inc., Asavie, Inc., and Guardicore, Inc. At this point, Akamai manages the certifications for the services that arose from these acquisitions separately.
How do I obtain a copy of Akamai’s ISO 27001 certifications?
Your account team can provide these certifications to you.
ISO/IEC 27018:2019
Overview
This standard provides guidance aimed at ensuring that cloud service providers offer suitable information security controls to protect the privacy of their customers’ clients by securing the personally identifiable information (PII) entrusted to them.
The standard serves as a reference for selecting PII protection controls when implementing a cloud computing information security management system based on ISO/IEC 27018. It also provides guidance on implementing PII protection controls.
Resources
Applicable Akamai Services
- Akamai Identity Cloud
Q&A
Which regions are covered by Akamai’s ISO 27018 compliance?
The ISO 27018 certification of the Akamai Identity Cloud service covers all global regions except for the Russian Federation.
How do I obtain a copy of Akamai’s ISO 27018 certification?
Your account team can provide these certifications to you.
ISO 27701:2019
Overview
ISO/IEC 27701:2019 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) to expand the information security management system (ISMS) of ISO/IEC 27001 to further address protection of privacy in the context of the processing of PII through a privacy information management system (PIMS). An organization complying with the requirements of ISO/IEC 27701 must generate documentary evidence of how it handles the processing of PII as a processor and/or as a controller.
Resources
Akamai Certification
Akamai’s ISO 27701 certificate, covering its core delivery and security services, is effective as of October 13, 2022.
Applicable Akamai Services
- Ion (when configured to run on Akamai’s Secure CDN with Enhanced TLS)
- Dynamic Site Accelerator (when configured to run on Akamai’s Secure CDN with Enhanced TLS)
- App & API Protector (when configured to run on Akamai’s Secure CDN with Enhanced TLS)
- Global Traffic Management
- Edge DNS
- Secure Internet Access Enterprise (formerly known as Enterprise Threat Protector)
Auditor
A-LIGN Assurance provides the ISO 27701 certification for Akamai’s core services.
Q&A
Can I obtain a copy of the certificate?
Your account team can provide you with our ISO 27701 certificate.
FedRAMP
Overview
A U.S. government compliance program, the Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP created and manages a core set of processes to ensure effective and repeatable cloud security for the U.S. government. It established a mature marketplace to increase utilization and familiarity with cloud services.
Resources
Akamai Certification
Since 2013, the Akamai Intelligent Edge Platform has a FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (ATO) for a moderate baseline, as an infrastructure as a service (IaaS) provider.
Downloads / Links
Akamai’s FedRAMP Marketplace page
Applicable Akamai Services
- Akamai Intelligent Edge Platform for HTTP and HTTPS delivery (known as the ESSL and FreeFlow Networks) and services running on them
- Web Application Edge Protection such as App & API Protector and Kona Site Defender
- Edge DNS (with DNSSEC)
- NetStorage
- Media streaming services
- Akamai Control Center
- Global Traffic Management
Q&A
How do I access Akamai’s FedRAMP documentation?
Customers can get the “Package Access Request Form” from the FedRAMP Marketplace website.
What is Akamai’s FedRAMP Impact level?
Akamai’s FedRAMP authorization is at the Moderate Impact level. According to FedRAMP, a Moderate Impact system comprises “nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.”
At this time, Akamai has not sought FedRAMP authorization for the High Impact level.
NIST
Overview
The National Institute of Standards and Technology (NIST) 800-53 security controls are generally applicable to U.S. Federal Information Systems. To ensure sufficient protection of confidentiality, integrity, and availability of information and information systems, federal information systems typically go through a formal assessment and authorization process.
The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of sector or size. Agencies are now required to implement the CSF under the Cybersecurity Executive Order.
Resources
Akamai Assessment
The Akamai Intelligent Edge Platform has been validated by third-party testing performed against the NIST 800-53 controls as well as additional FedRAMP requirements. Akamai’s NIST authorization is at the Moderate Impact level.
See Akamai’s FedRAMP compliance page for more information about FedRAMP compliance, which includes the relevant NIST controls.
Downloads / Links
HIPAA/HITECH
Overview
The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) set forth the requirements for the processing of personal identifiable information by healthcare service and insurance providers.
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) defines access rights to health data and mechanisms for patients to maintain control over their data. It expands the exchange of electronic protected health information as well as the scope of privacy and security protections under HIPAA.
Resources
Akamai Compliance
Neither HIPAA nor HITECH are directly applicable to Akamai as a content delivery and web security service provider. Nevertheless, where Akamai is engaged by its healthcare customers to process healthcare data, it may be considered as a Business Associate, and a Business Associate Agreement might be required between Akamai and the healthcare customer. A copy of Akamai’s standard Business Associate Agreement is available upon request.
To ensure compliance with the HIPAA Security Rule, Akamai pursues an annual assessment. The Executive Summary of this assessment and/or the related letter by the assessors is available to Akamai customers and partners subject to nondisclosure agreement (NDA).
Downloads / Links
Akamai’s HIPAA and HITECH Act Compliance Statement
Applicable Akamai Services
- Secure CDN with Enhanced TLS (Secure CDN), and the services running on it
- Edge Delivery products such as Ion, API Acceleration, and Adaptive Media Delivery, when running on the Secure CDN
- App and API security products such as App & API Protector, Account Protector, Kona Site Defender, and Bot Manager (Standard and Premier), when running on the Secure CDN
- Enterprise Application Access
- Akamai Identity Cloud
- Akamai Control Center
MAS (Singapore)
Overview
The Monetary Authority of Singapore (MAS) regulates financial institutions in the banking, capital markets, insurance, and payments sectors incorporated in Singapore. The MAS includes published Outsourcing Guidelines for local financial institutions on risk management of outsourcing arrangements, which cover:
- Engagement with MAS on outsourcing
- Sound practices on risk management of outsourcing arrangements
- Cloud computing
Resources
Amendments
Akamai Compliance
Akamai services used by financial service providers incorporated in Singapore are considered outsourced activities under these guidelines. Since Akamai services are compliant with the guidelines, financial services customers incorporated in Singapore can not only continue using Akamai services, but also deploy them as a key part of an outsourcing compliance strategy.
Applicable Akamai Services
- Secure CDN with Enhanced TLS and related services
- Edge Delivery products, such as Ion, when running on the Secure CDN with Enhanced TLS
- App and API security products, such as App & API Protector, Kona Site Defender, Web Application Protector, and Bot Manager, when running on the Secure CDN with Enhanced TLS
- Prolexic DDoS Mitigation Services
- Akamai Identity Cloud
Payment Services Directive (PSD2)
Overview
The revised Payment Services Directive (PSD2) by the EU and Open Banking, the U.K. implementation of PSD2, requires financial institutions to open their payment infrastructure, granting third-party provider (TPP) access to their customers’ bank account data. Regulatory bodies are driving this initiative to facilitate innovation, competition, and efficiency in financial services by enabling TPPs to provide payment and account information services to consumers.
Resources
Akamai Compliance
Akamai solutions help financial institutions comply with PSD2 by enhancing customer experiences, application stability, and security controls. The Akamai Intelligent Edge Platform serves as a conduit for communication between TPPs and the financial institution. Akamai security services protect the institution’s APIs from unauthorized access and ensure only authenticated access requests are processed. Akamai helps with PSD2 compliance by:
- Enhancing the customer experience
- Providing access control and governance for APIs
- Protecting APIs against attacks
- Delivering common and secure communication (SSL/TLS)
- Preventing screen scraping

“Internal APIs and proprietary apps are replaced by public APIs and third-party apps when third-party providers (TPPs) act between a bank and its customers.”
Downloads / Links
- Read the white paper Security Solutions for PSD2 Compliance and Risk Mitigation
- Read the white paper Offloading and Simplifying PSD2 Compliance
Applicable Akamai Services
Identity Cloud, Secure Content Delivery, App & API Protector, Kona Site Defender, Web Application Protector, Ion, DSA, and API Gateway.
Q&A
Is Open Banking the same as PSD2?
Open Banking is the PSD2 implementation in the U.K. It is based on a ruling — issued in August 2016 by the United Kingdom Competition and Markets Authority (CMA) — that required the nine biggest U.K. banks to give licensed startups direct access to their data, down to the level of account transactions.
Why is the PSD2 implementation always a customized solution?
PSD2 will always be a custom implementation because of the unique needs of each certificate authority Trust Provider (TP), specific legislation for EU countries, and internal compliance requirements according to individual company policies.
IRAP (Australia)
Overview
The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) security assessment services to the government. The Australian Cyber Security Centre (ACSC) within the ASD produces the Australian Government Information Security Manual (ISM). The purpose of the ISM is to outline a cybersecurity framework that organizations can apply to protect their information and systems from online threats.
The ISM consists of more than 700 security controls that define security requirements in more than 80 areas, such as:
- Cybersecurity incidents
- System hardening
- Vulnerability management
- Patching
- Cryptography
- Network design
- Application development
Resources
Akamai Compliance
Akamai is assessed every two years by an independent auditor for compliance with the IRAP Security Controls defined in the ISM. The assessment covers both Akamai’s production and corporate network environments. A letter certifying the completion of the assessment the IRAP Official Assessor is available subject to nondisclosure agreement (NDA).
Please contact your Akamai account team for more information.
Applicable Akamai Services
- Secure CDN with Enhanced TLS, and the services running on it
- Edge Delivery products such as Ion, when running on the Secure CDN with Enhanced TLS
- Bot Manager Standard and Premier
- App and API security products, such as App & API Protector, Kona Site Defender, Web Application Protector, and Bot Manager, when running on the Secure CDN with Enhanced TLS
- Edge DNS
Critical Infrastructure (Germany)
Overview
Since June 2017, Akamai has fulfilled the requirements for critical infrastructure service providers for its content delivery network services in Germany, implemented by the German BSI (Federal Office for Information Security). In accordance with the underlying legislation, the BSI Act, Akamai performs a third-party audit every two years to prove that its technical and organizational measures appropriately protect its system and ensure the availability, integrity, authenticity, and confidentiality of its services.
As part of the audit, Akamai Germany provides evidence to the BSI of its state-of-the-art security ensuring the availability, integrity, authenticity, and confidentiality of its critical systems. The basis for these audits is Akamai’s SOC 2 Type 2 report, ISO 27001 certification assessment, and several on-site audits by the auditor in data centers across Germany.
In addition to Akamai’s classification as a critical service provider for its edge delivery services, the BSI also recommends several of Akamai’s application and infrastructure security services to other critical service providers.
Resources
Applicable Akamai Services
Akamai CDN, which includes all of Akamai’s edge delivery services such as Ion and Dynamic Site Accelerator.