At Cloudflare, we prioritize initiatives that improve the security and privacy of our products and services. The security organization believes trust and transparency are foundational principles that are ingrained in what we build, the policies we set, and the data we protect. Many of our enterprise customers have stringent regulatory compliance obligations and require their cloud service providers like ourselves to provide assurance that we meet and exceed industry security standards. In the last couple of years, we’ve decided to invest in ways to make the evaluation of our security posture easier. We did so not only by obtaining recognized security certifications and reports in an aggressive timeline, but we also built a team that partners with our customers to provide transparency into our security and privacy practices.

We understand the importance of providing transparency into our security processes, controls, and how our customers can continuously rely on them to operate effectively. Cloudflare complies with and supports the following standards:

SOC-2 Type II / SOC 3 (Service Organizations Controls) - Cloudflare maintains SOC reports that include the security, confidentiality, and availability trust principles. The SOC-2 report provides assurance that our products and underlying infrastructure are secure and highly available while protecting the confidentiality of our customer’s data.  We engage with our third-party assessors on an annual basis, and the report provided to our customers covers a period of one full year.

ISO 27001:2013 (International Standards Organization) - Cloudflare’s ISO certification covers our entire platform including our edge network and core data centers. Customers can be assured that Cloudflare has a formal information security management program that adheres to a globally recognized standard.

PCI Data Security Standard (DSS) - Cloudflare engages with a QSA (qualified security assessor) on an annual basis to evaluate us as a Level 1 Merchant and a Service Provider. This way, we can assure our customers that we meet the requirements to transmit their payment data securely. As a service provider, our customers can trust Cloudflare’s products to meet requirements of the DSS and transmit cardholder data securely through our services.

HIPAA/HITECH Act (Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health - Covered healthcare entities that are leveraging our enterprise version of our security products to protect their application layer can be assured that Cloudflare can sign Business Associates Agreements (BAA).

1.1.1.1 Public DNS Resolver Privacy Examination -  Cloudflare conducted a first-of-its-kind privacy examination by a leading accounting firm to determine whether the 1.1.1.1 resolver was effectively configured to meet Cloudflare’s privacy commitments. A public summary of the assessment can be found here.

We understood that having security compliance certifications and reports would provide ease of mind when using our products, but we knew it may not be enough for those who are sending their most sensitive information through our services. We decided that it was paramount to build out a Security Engagement Team within our Security Organization. Our Security Engagement Team can work with our customer’s security and compliance functions to understand their regulatory and compliance landscape. They are here to understand our customer’s use cases, address concerns, and communicate asks and requests to our Validations, Risk, and Security Engineering Teams so we know what’s top of mind from our customers.

We strive to put trust first. The certifications and reports we obtain, the security features we build, the white papers, faqs, and documents that we create — we build all of these resources based on the needs of our customers.  In the future, we will continue to listen closely to our customers, with the goal of continuously improving the security and privacy of our products and services.

For more information about our certifications and reports please visit our compliance page - cloudflare.com/compliance. You can also reach us at compliance@cloudflare.com for any questions.

As part of our ongoing compliance efforts Cloudflare’s PCI scope is periodically reviewed (including after any significant changes) to ensure all in-scope systems are operating in accordance with the PCI DSS. This review also allows us to periodically review each product we offer as a PCI validated service provider and identify where there might be opportunities to provide greater value to our customers.

Building trust in our products is one critical component that allows Cloudflare’s mission of “Helping to build a better Internet” to succeed. We reaffirm our dedication to building trust in our products by obtaining industry standard security compliance certifications and complying with regulations.

Cloudflare is a Level 1 Merchant, the highest level, and also provides services to organizations to help secure their cardholder data environment. Maintaining PCI DSS compliance is important for Cloudflare because (1) we must ensure that our transmission and processing of cardholder data is secure for our own customers, (2) that our customers know they can trust Cloudflare’s products to transmit cardholder data securely, and (3) that anyone who interacts with Cloudflare’s services know that their information is transmitted securely.

The PCI standard applies to any company or organization that accepts credit cards, debit cards, or even prepaid cards for payment. The purpose of this compliance standard is to help protect financial institutions and customers from having their payment card information compromised. Each major payment card brand has merchants sorted into different tiers based on the number of transactions made per year, and each tier requires varying requirements to satisfy their compliance obligations. Annually, Cloudflare undergoes an assessment by a Qualified Security Assessor. This assessor conducts a thorough review of Cloudflare’s technical environment and validates that Cloudflare’s controls related to securing the transmission, processing, and storage of cardholder data meet the requirements in the PCI Data Security Standard (PCI DSS).

Cloudflare has been PCI compliant since 2014 as both a merchant and as a service provider, but this year we have expanded our Service Provider scope to include more products that will help our customers become more secure and meet their own compliance obligations.

In addition to our WAF, we are proud to announce that Cloudflare’s Content Delivery Network, Cloudflare Access, and the Cloudflare Time Service are also certified under our latest Attestation of Compliance!

Our Attestation of Compliance is applicable for all Business and Enterprise accounts. This designation can be used to simplify your PCI audits and remove the pressure on you to manage these services or appliances locally.

If you use our WAF, enable the OWASP ruleset, and tune rules for your environment you will meet the need to protect web-facing applications and satisfy PCI requirement 6.6.

As detailed by several recent blog posts, Cloudflare Access is changing the game and your relationship with your corporate VPN. Many organizations rely on VPNs and other segmentation tools to reduce the scope of their cardholder data environment. Cloudflare Access provides another means of segmentation by using Cloudflare’s global network as a VPN service to access internal resources. Additionally, these sessions can be configured to time out after 15 minutes of inactivity to help customers meet requirement 8.1.8!

There are several large providers of time services that most organizations use. However, in 2019 Cloudflare announced our time.cloudflare.com NTP service. The benefits of using our time service rely on the use of our CDN and our global network to provide an advantage in latency and accuracy. Our 200 locations around the world all use anycast to route your packets to our closest server. All of our servers are synchronized with stratum 1 time service providers, and then offer NTP to the general public, similar to how other public NTP providers function. Accurate time services are critical to maintaining accurate audit logging and being able to respond to incidents. By changing your time source to time.cloudflare.com we can help you meet requirement 10.4.3.

Finally, Cloudflare has given our customers the opportunity to configure higher levels of TLS. Currently, you can enable up to TLS 1.3 within your Cloudflare Dash, which exceeds the requirement to use the latest versions of TLS 1.1 or higher referenced in requirement 4.1!

We use our own products to secure our cardholder data environment and hope that our customers will find these product additions as beneficial and easy to implement as we have.

Cloudflare is committed to helping our customers earn their user’s trust by ensuring our products are secure. The Security team is committed to adhering to security compliance certifications and regulations that maintain the security, confidentiality, and availability of company and client information.

In order to help our customers keep track of the latest certifications, Cloudflare continually updates our Compliance certification page - www.cloudflare.com/compliance. Today, you can view our status on all compliance certifications and download our SOC 3 report.

The Payment Card Industry Data Security Standard (PCI DSS) is a global financial information security standard that keeps credit card holders safe. It ensures that any company processing credit card transactions adheres to the highest technical standards.

PCI certification has several levels. Level one (the highest level) is reserved for those companies that handle the greatest numbers of credit cards. Companies at level one PCI compliance are subject to the most stringent checks.

CloudFlare’s mission leads it to provide security for some of the most important companies in the world. This is why CloudFlare chose to be audited as a level one service provider. By adhering to PCI’s rigorous financial security controls, CloudFlare ensures that security is held to the highest standard and that those controls are validated independently by a recognised body.

If you are interested in learning more, see these details about the Payment Card Industry Data Security Standard.

This year’s update from PCI 2.0 to 3.1 was long overdue. PCI DSS 2.0 was issued in October 2010, and the information security threat landscape does not stand still—especially when it comes to industries that deal with financial payments or credit cards. New attacks are almost a daily occurrence, which means that an out-of-date security standard is often worse than no standard at all.

In PCI 3.1, the PCI council attempted to address this issue by both covering known attacks that have come out since the last version of the standard and beefing up financial security controls in anticipation of future attacks.

Here is a summary of the changes between PCI versions 2.0 and 3.1:

The PCI council has realized that the first lines of defense in any organization are the information security practitioners, developers, and engineers. With this in mind, the council has removed much of the "legal-speak" in the PCI DSS documentation, making it readable for the average person. Each section has an explanation, and each requirement has a justification with examples when possible.

Version 2.0 of the PCI standard was reliant on the annual audits each organization must go through to demonstrate compliance. This was leading to a culture of "tickbox security" where organizations would do the bare minimum during the year, then rush to make the necessary changes to meet compliance requirements in time for their audit. This is a bad way to do security.

Security should be holistic and ongoing. A company should ensure that security is built into every level of the organization. Security features should be incorporated into products from the ground up. Not only is this the least expensive way to do security, but it is also the most secure way.

To this end, PCI 3.1 was designed to integrate into the everyday operations of a compliant organization. This integration ranges from installing itself in critical operational processes, to ensuring that PCI compliance is an integral part of the Software Development Lifecycle (SDLC) that the company uses to build its products. PCI is present at every level of the operation.

Furthermore, PCI now requires that the processes which support these critical business functions are robust. This means that things like the patch management process or vulnerability testing process have a clearly defined owner, a clearly defined review process, and a clear timetable.

Another aspect of the "tickbox security" culture that developed around PCI 2.0 was the fact that it was possible to use documentation to fool the audit process. This lead companies toward a “smoke and mirrors” strategy for covering up substantial security flaws or implying compensating controls that did not exist.

To address this, PCI 3.1 became much more rigorous about evidence. It is no longer sufficient to say, "here is some paperwork about this control." The control itself has to be tested and evaluated by the auditor before the organization can be passed as compliant. Furthermore, PCI 3.1 also insists on vulnerability testing on a regular basis at every stage of the development lifecycle. This requirement is designed to catch weaknesses that might have slipped through the cracks and to detect software vulnerabilities that somehow missed getting patched.

It has become clear to many information security practitioners that security is a complex, multi-actor deliverable. This means the weak link in the chain can, and often does, undermine other substantially more secure organizations. PCI 3.1 now recognizes this with a definition of responsibilities for all stakeholders in the payment process. Whether you’re a merchant, service provider, or card issuer, it is no longer possible to completely outsource accountability. This forces the whole chain into the light of the day and ensures that good security practices are followed every step of the way.

TLS 1.0 and 1.1 have been around for a long time—SSL 3.0 even longer. The problem is that encryption has a shelf-life. As time passes, flaws are found in these systems, and computing performance reaches a level where it can break widespread encryption algorithms. Eventually, the encryption technology of yesterday no longer offers the same amount of protection as when it was first released.

With PCI 3.1, the payment card industry recognises this by setting a "sunset date" for old encryption standards. In order to remain compliant after June 30 2016, companies must switch off SSL 3.0, TLS 1.0, and TLS 1.1. This is a step in the right direction, and it affects CloudFlare as much as it affects our customers.

However, a significant amount of the world still uses TLS 1.0 (14% of traffic last time we looked). We recognise that not everyone wants, or needs, to do this. As a result, we will be offering our customers who wish to be PCI compliant a feature that will allow them to ensure their CloudFlare configuration meets PCI DSS guidelines.

The changes between PCI 2.0 and 3.1 made re-certification a lengthy, but highly illuminating, process for CloudFlare. We achieved full compliance as a level one service provider while substantially improving our security along the way. We also learned a lot about the compliance needs of our customers through this process, and you can expect a lot more compliance-related features to surface further down the road.

After undergoing a Payment Card Industry (PCI) Data Security Standard (DSS) 2.0 security control assessment, we’ve been certified as a Level 1 service provider. Achieving Level 1 status requires an assessment of our security controls by an independent third party—a Qualified Security Assessor (QSA).

Additionally, CloudFlare’s Web Application Firewall (WAF) helps companies meet PCI requirement 6.6. Our WAF not only helps protect our customers from application layer attacks, but also secures the data of online consumers making purchases on sites within the CloudFlare network.

What’s even better is that we’ve achieved Level 1 PCI compliance while still allowing for expansion of our global data center network. Over the coming weeks, we plan to turn on four new data centers in Madrid, Spain; Milan, Italy; Medellín, Colombia; and São Paulo, Brazil.

Stay tuned for updates on these new locations!

Have questions about CloudFlare’s PCI status? Check out this FAQ section.