Simplified PCI DSS Compliance in Salesforce Commerce Cloud

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a bare minimum in today’s world, given the current climate of cloud security. The PCI DSS list has grown significantly (and continues to) in order to cover each intricate aspect of payments, cardholder (& sensitive) data, and everything in between. 

The latest version of the standard to be upheld has been updated from v3.2.1 to v4.0 with a deadline of 2023 in place for the transition. But its intersection with Salesforce Commerce Cloud is where it gets interesting.

Salesforce Security is Often Overlooked

This happens because of the trust placed independently on Salesforce as a platform. Although Salesforce in itself is PCI DSS compliant, it does not take responsibility for your customizations or any third-party application that you buy or use for implementing with Salesforce (and any resulting security vulnerabilities because of it).

So just because Salesforce Commerce Cloud systems are in compliance with PCI DSS, it does not mean that your custom applications are. Your compliance status depends on many other factors too. For example:

  • What are you doing with the data? Are you storing it? If so, how?
  • Who has access to it? Is there a retention policy?
  • What references in your code actually ensure closed loopholes for all of the above?

Security is a Shared Responsibility

With each customization, all of those questions need to be addressed. Ignoring that can easily be a root-cause for the next data breach, adding to the 38% of companies that suffered the same fate YTD. Reflecting on the state of cloud security in the environment- Salesforce introduced its version of the shared responsibility model. In reality, it does offload a lot of the responsibility onto you as the user to handle independently. 

To be PCI DSS compliant, Salesforce requires you to: 

  • Establish a process to identify security vulnerabilities
  • Ensure non-storage of sensitive authentication data
  • Identify all high-risk vulnerabilities
  • Ensure Access Control
  • Perform routine scans and rescans 
  • Diagnose exploits
  • Actively prevent Injection flaws and Cross-Site Scripting

You can view the detailed list HERE. In addition to that, you can’t store credit card details in Salesforce Commerce Cloud securely without an additional PCI DSS compliant product to process your billing. And being non-compliant could result in thousands of dollars in fines from the PCI Council until the solution is made compliant.

And that doesn’t even account for the irreparable damage caused to your brand identity and the loss of your customers’ trust.

So What Is Your Security Achilles Heel?

Most applications built and hosted on Salesforce Commerce Cloud are customer-facing, opening it up to a much wider influx of threats. The cost of each vulnerability can be 10x higher resulting in a wide range of violations since it involves PII and highly sensitive data. 

But we have a way to make it easier for you to keep up.

DigitSec not only allows you to discover your “Achilles Heel” and identify vulnerabilities, but it also enables you to carry and execute your share of PCI DSS(& Salesforce’s) compliance needs. It can act as a catalyst to your compliance journey while integrated within your existing testing process. By internally keeping your code in check and ensuring you don’t violate security standards – it protects both you and your customer. 

PCI DSS compliance for Salesforce Commerce Cloud is not optional for most online retailers so we can help micro-manage that security for you.

Find out how exactly HERE.

Adrian Szwarcburg

Adrian Szwarcburg


DigitSec brings four scans to protect Salesforce: Source Code Analysis, Custom Runtime Testing, Software Composition Analysis, & Cloud Security Configuration Review. #DevOps

Recent Posts

Sign up for our Newsletter

Get security tips sent to your inbox.

Sign up to get updates and security insights from DigitSec