Overview
Payment Card Industry Data Security Standard (PCI DSS) compliance is required for any business that stores, processes, or transmits payment card data. Developed by the major credit card companies, the PCI DSS defines measures for ensuring data protection and consistent security processes and procedures around online financial transactions. As formulated by the PCI Security Standards Council, the mandate of PCI DSS compliance includes:
- Developing and maintaining a security policy that covers all aspects of the business
- Installing firewalls to protect data
- Encrypting cardholder data that is transmitted over public networks
- Using antivirus software and updating it regularly
- Establishing strong passwords and other cybersecurity protocols
- Enforcing rigid access controls and monitoring access to account data
For large merchants and service providers that process high volumes of online financial transactions, PCI DSS compliance is enforced by annual validations performed by an independent Qualified Security Assessor (QSA).
Resources
Akamai Certification
Akamai’s Attestation of Compliance (AoC) serves as evidence for our customers that our in-scope services are compliant with the PCI DSS v3.2.1 security standard.
In connection with our PCI DSS compliance, Akamai performs a quarterly third-party external penetration test of the systems included in the scope of our assessment. Results of these quarterly penetration tests, and compliance documentation and/or certification, are available for customers under nondisclosure agreement (NDA).
Downloads / Links
- Attestation of Compliance
- Responsibility Matrix
- Responsibility Matrix (Cloud Computing Services)
- Akamai’s listing on the Visa Global Registry of Service Providers
- List of Mastercard Compliant Service Providers (including Akamai)
Applicable Akamai Services
- Secure CDN with Enhanced TLS (Secure CDN), and the services running on it
- Edge Delivery products such as Ion, API Acceleration, and Adaptive Media Delivery, when running on the Secure CDN
- EdgeWorkers, when running on the Secure CDN
- mPulse digital performance management services
- App and API security products such as App & API Protector (including the Malware Protection add-on), Account Protector, Kona Site Defender, and Bot Manager (Standard and Premier), when running on the Secure CDN
- In-browser protections, including Client-side Protection & Compliance and Audience Hijacking Protector
- Secure Internet Access Enterprise (formerly known as Enterprise Threat Protector)
- Akamai MFA
- The following cloud computing solutions: Dedicated CPU, Shared CPU, and High Memory
Q&A
Is Akamai PCI DSS Certified?
Yes, Akamai is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment available. The PCI DSS Attestation of Compliance and Responsibility Matrices are publicly available at the links above.
If my website is using Akamai, how can I be sure that it is PCI DSS compliant?
Customers are responsible for their own PCI DSS certification and should engage a Qualified Security Assessor (QSA) to validate their controls and obtain certification. Customers and their QSAs may rely on Akamai’s Attestation of Compliance for the portion of their cardholder data environment to use Akamai’s PCI DSS compliant services. Akamai’s PCI DSS Responsibility Matrices (see links above) spell out the responsibilities of Akamai and our customers with respect to each of the PCI DSS requirements. Your account team may provide you with our PCI DSS Customer Configuration Guide, which provides more details.
Is Akamai listed on the Visa Global Registry of Service Providers and the Mastercard Compliant Service Provider List?
Yes. Akamai is listed on the lists provided by both Visa and Mastercard. This shows that Akamai has met all applicable program requirements of these major payment card companies.
Can I review an executive summary of Akamai’s quarterly Approved Scanning Vendor (ASV) vulnerability scans and external penetration tests?
Yes. Your account team may provide this information subject to standard nondisclosure agreement (NDA).