Payment Card Industry Data Security Standard, or PCI-DSS, is an information security standard that is designed to protect credit card data from being exposed and used fraudulently. This article will answer some frequently asked questions about Acquia's compliance with this security standard.
Is Acquia’s hosting PCI-DSS compliant?
Acquia has a PCI-DSS compliant hosting environment as part of Acquia Cloud Enterprise. A Qualified Security Assessor (QSA) company performs an annual audit to verify that the Acquia platform is compliant with PCI-DSS. The Attestation of Compliance (AOC) and Report on Compliance (ROC) documents validating Acquia PCI-DSS compliance can be provided to prospective or current customers upon request.
Is Acquia immune to the BEAST browser exploit?
Acquia Cloud no longer supports RC4-based SSL cypher suites because of their known security vulnerabilities. This means that Acquia Cloud no longer includes server-side mitigation of the potential BEAST security vulnerability. However, we believe that existing client-side mitigation of BEAST is sufficient, and that the security vulnerability from RC4-based SSL cypher suites is a much more significant threat. For more information, we recommend reading Qualys Security Labs' discussion, Is BEAST Still a Threat?