Announcing PCI Compliance for Heroku Shield

Listen to this article

In June we announced Heroku Shield with new high compliance features for Heroku Private Spaces. Heroku Shield enables businesses like AlignTech to deploy apps that handle protected healthcare information (PHI) in accordance with government regulations.

Today, we are proud to announce that Heroku Shield Services have been validated as PCI Level 1 Service Provider compliant. This designation helps our customers understand how Heroku's systems and human processes work together to safeguard customer data. It helps security and audit teams in choosing Heroku as a platform for running a company's most critical apps.

The Payment Card Industry Data Security Standard (PCI DSS) is one of the most widely known, industry-defined security standards. It mandates explicit security controls and requires certified organizations to be audited by a qualified security assessor. The combination of rigor and broad adoption makes PCI a valuable tool for building trust between Heroku and our customers.

Growing a successful business and acquiring satisfied and trusting customers is a significant feat and is something to protect carefully. It is only natural that as a business grows, it becomes more risk averse. But when risk aversion leads to resistance to change it creates another existential risk when the business is no longer adapting to the market.

Businesses rely on Heroku to drive change. Heroku gives dev teams a way to rapidly evolve the customer experience while meeting complex compliance requirements around change control, OS system patching, access controls, encryption, intrusion detection, business continuity and more. Heroku's platform acts as an interface between continuous delivery teams and centralized security and compliance functions that makes life easier for both. For example, when an app runs in a Shield Private Space, the security team knows that all access to production is keystroke logged and that vulnerable TLS protocols are not used, etc. No ongoing audit of the tooling or infrastructure is needed because no one had to build any tools or infrastructure. Code reviews and audits are simpler because the app code has to perform fewer security functions. Because production access can be safely granted to the dev team, developers can properly monitor their production applications, quickly diagnose bugs and performance problems, and deploy fixes right away.

Come meet members of our security team at our Dreamforce technical session on Heroku Shield on Wednesday November 8. For more information on Heroku Shield Services and our approach to compliance, see the Dev Center article, or contact Heroku.