Loading

PCI Overview & Responsibilities for B2C Commerce Customers

Julkaisupäivä: Apr 13, 2026
Kuvaus

As a PCI DSS Compliant Service Provider, B2C Commerce is responsible for ensuring that the base service provided to customers is PCI DSS compliant and allows customers to customize in a compliant way. Leveraging the B2C Commerce platform doesn't mean that a customer is inherently PCI Compliant. This document is intended to help address where we can assist our customers with their audits, what our responsibilities are, and what our customers’ responsibilities are.

Ratkaisu

PCI DSS Standard

The PCI DSS Standard was adopted by all the major card issuers to address data security issues. It is broken up into several sections that broadly address:

  • Network Security
  • Protection of Cardholder Data
  • Vulnerability Management
  • Access Control Measures
  • Monitoring and Testing of Controls and Security
  • Information Security Policies


You can find a listing of B2C Commerce as a registered service provider at the following locations:


As proof of compliance B2C Commerce will provide a copy of our current PCI Attestation of Compliance (AOC). Please contact Commerce Support if you need a copy of our AOC.


B2C Commerce Responsibility

All Merchants have full responsibility for ensuring their own PCI DSS Merchant compliance. In regards to the B2C Commerce platform, the following lists the major items in-scope for B2C Commerce as a PCI DSS compliant Service Provider. These items cover customer data that is stored within our service. Where the customers' compliance comes in is primarily around integrations and any exchange of sensitive data with systems outside of the B2C Commerce Platform service (like an external OMS system). Specifically it addresses the 12 major PCI DSS requirements sections:

 

  1. Firewall configuration is validated and tested. B2C Commerce is responsible for all firewall configuration and testing.
  2. Default passwords are removed and acceptable system security parameters are maintained.
  3. Credit Card information stored on the B2C Commerce platform is stored in encrypted form, as long as the standard API for credit card data access is used. B2C Commerce will perform automatic re-keying and other protection mechanisms for this data.         
  4. B2C Commerce enables the customer to use transport encryption (TLS/SSH) or payload encryption (industry standard encryption capabilities) when exchanging credit card data with third party systems. The SiteGenesis reference application uses the platform correctly to ensure that all sensitive portions of a consumer session are protected. This applies also to the administrative Business Manager application.
  5. Where appropriate B2C Commerce scans for virus and/or malware.
  6. B2C Commerce follows industry standard coding practices and monitors security mailing lists to ensure that any core component development is done in a secure manner. We also do vulnerability scan testing as part of our QA process. Customers are responsible for doing vulnerability scans and code reviews on any customizations they have created on the service.
  7. B2C Commerce strongly restricts access to customer data only to internal personnel that have a business requirement justifying the access. These people undergo background checks as part of their employment with Salesforce Support.
  8. For the entire B2C Commerce platform environment, user access is protected by an audit trail that allows identification of user through their unique ID. For B2C Commerce personnel this is enforced by B2C Commerce policies and procedures.
  9. Physical access is commensurate with PCI DSS requirements at all B2C Commerce platform facilities.
  10. B2C Commerce monitors both external and internal connectivity for unexpected traffic. In addition B2C Commerce maintains comprehensive internal log files and offers customers the ability to download security and custom logs for 30 days. 
  11. B2C Commerce tests our service as part of our QA process as well as regularly scheduled penetration testing and vulnerability scans with our external security auditor. Customers are responsible for testing their storefront, customizations, and any integrations of other services. 
  12. B2C Commerce has well defined internal policies and procedures around information security..


Customer Responsibility

As mentioned before, for any external integration or customization built on top of the B2C Commerce platform the customer is responsible for ensuring PCI-DSS compliance. Common examples include:

  • External integration to OMS and other services: is it over TLS and with appropriate firewall restrictions?
  • In regards to firewall rules, customers are responsible for outbound ports they request to be open from B2C Commerce. Customers should take into account insecure ports and how this may affect their PCI compliance, please consult with your QSA if there are questions. Customers should review the need for the requested outbound ports to be open every 6 months and notify B2C Commerce if those ports are no longer necessary so they can be removed.
  • Customers are responsible for defining how long they are retaining payment data for. This can be managed in Business Manager by defining the Payment Information Retention.
  • Custom exports are encrypted and treated appropriately.
  • Any customizations are done with an understanding of the possible security ramifications. Customers are responsible for ensuring that their customizations do not capture credit card or other sensitive information through insecure means. Clear text storage of credit card information (including in log files) is never permitted and customers are responsible for complying with this requirement
  • Vulnerability and Penetration testing is done by an external QSA/ASV.
  • Maintaining custom logs specific to customer security and access control, i.e. customer using the B2C Commerce log framework, error, custom error, security or other logs. Custom logs and other security logs should be downloaded within 30 days and archived by the customer according to the PCI DSS requirement.
  • Two Factor Authentication (2FA) must be put in place for code updates to the Staging instance. This 2FA certificate is managed by customers and they can follow their own security policies that have in place for code deployments to the B2C Commerce platform. 

NOTE: This list is not comprehensive – you should consult with your PCI DSS assessor or consultant to determine all requirements and responsibilities you have to maintain your PCI DSS Merchant compliance.


How does B2C Commerce help with my audit?

Most auditors are very familiar with working with external PCI compliant partners. You can download any relevant documentation from the links above; this includes our listing as a service provider with the credit card companies. You may also log a ticket with Support to request a copy of the B2C Commerce AOC This should be sufficient for your auditor to use to start identifying where our responsibility as a service provider ends and where your responsibility begins. B2C Commerce does not assist in completing any portion of a customer PCI audit, this includes Self-Assessment Questionnaires (SAQ).


Scheduling Audits/Security Scans
Please see the information outlined in Security Assessments.


Who do I contact if I have questions?

If you are unable to find the answer to your question in this document, please post a question in the Trailblazer Community or reach out to Commerce Support.

Knowledge-artikkelin numero

000391196

 
Ladataan
Salesforce Help | Article