SOC 2, ISO 27001, and PCI DSS: A testament to security and trust.

According to IBM's 2024 Cost of a Data Breach report, the average total cost of a security data breach has escalated to $4.88 million globally, with ecommerce and financial sectors bearing the brunt of potential security vulnerabilities. Perhaps more alarming, research from Cybersecurity Ventures predicts that cybercrime will cost the global economy an unprecedented $9.5 trillion in 2024, with a new cyber attack occurring every 39 seconds. These staggering facts present existential threats for enterprise brands. A single security breach can destroy customer trust built over decades, trigger severe reputational damage, and result in massive financial penalties. Security has become the fundamental currency of trust. Brands select technology vendors that they know will serve as a security partner entrusted with their most valuable asset: customer confidence.

In 2024, Commerce Layer achieved several security certifications and distinctions that represent more than just a technical achievement. They are industry distinctions that serve as a validation about how much we invest in keeping our clients and their customers safe. These achievements include SOC2, PCI DSS, and ISO 27001. Plus, while it’s not an industry security or compliance standard, we also achieved the AWS Foundational Tech Review, further validating our platform with a third-party evaluation. In this post, we’ll dive into each, describe what they mean, what we had to do to meet the standard, and why they are important for any brand.

SOC 2: The foundation of trust in service organizations

The Service Organization Control (SOC) reporting framework emerged in the early 2000s as a response to the growing complexity of service-based business models and the need for standardized security assurance. Initially created to provide transparency into service organizations' control environments, SOC 2 has become a critical benchmark for:

• Demonstrating organizational commitment to data security
• Providing independent verification of security practices
• Addressing growing concerns about data protection in cloud-based services
• Creating a standardized approach to evaluating organizational controls

SOC 2 matters in modern computing because it addresses the critical need for:

• Transparent security practices
• Independent verification of control mechanisms
• Comprehensive risk management
• Customer confidence in digital service providers

Commerce Layer’s SOC 2 Type II certification involved a comprehensive 12-month audit that examined a number of aspects of our security practices. We’ve listed the highlights in the following sub-sections.

Demonstrated capabilities:

• Cryptographic controls (AES-256 encryption for data at rest and in transit)
• Multi-factor authentication implementation
• Detailed access control mechanisms
• Granular user permission management
• Comprehensive logging and monitoring systems

Technical implementation highlights:

• Implemented zero-trust network architecture
• Deployed advanced intrusion detection systems (IDS)
• Established continuous security event monitoring with real-time alerting
• Utilized machine learning-powered anomaly detection
• Maintained detailed audit trails with immutable log preservation

Security controls validated:

• NIST SP 800-53 control framework compliance
• Advanced encryption protocols
• Robust identity and access management (IAM)
• Comprehensive incident response procedures

For enterprise clients, SOC 2 certification is a non-negotiable requirement. With our SOC 2 compliance, we have implemented robust security controls that protect sensitive customer and transaction data. Of course, SOC 2 also means that we commit to maintaining a proactive approach to risk management and data protection.

PCI DSS: The evolution of payment security standards.

The Payment Card Industry Data Security Standard (PCI DSS) originated in 2004 as a collaborative effort between major credit card brands: Visa, MasterCard, American Express, Discover, and JCB. It was born from a critical need to protect cardholder data in a burgeoning digital financial ecosystem and emerged as a response to escalating cybercrime and data breach incidents. Prior to PCI DSS, payment security was fragmented and inconsistent. PCI DSS represents both a critical compliance checklist, and an industry framework that delivers the following:

• Standardizes global payment security practices
• Protects consumers from financial fraud
• Creates a unified approach to data protection
• Reduces financial risks for businesses and consumers

To attain the full PCI DSS Level 1 provider certification, we demonstrated all of the following technical specs, implementation details, and advanced security mechanism.

Technical specifications:

• End-to-end payment data encryption
• Tokenization of sensitive payment information
• Segmented network architectures
• Regular penetration testing and vulnerability assessments

Security implementation details:

• Payment Card Industry Data Security Standard version 4.0 compliance
• Advanced payment data tokenization
• Secure transmission protocols (TLS 1.3+)
• Regular automated and manual security assessments
• Comprehensive cardholder data protection strategies

Advanced security mechanisms:

• Payment card data segmentation
• Dynamic fraud detection algorithms
• Secure payment processing microservices
• Continuous compliance monitoring

PCI compliance demonstrates that Commerce Layer meets the highest standards for handling payment information. Our platform protects against potential data breaches, reduces the risk of financial fraud, and builds trust with our enterprise customers who can pass that to their end users.

ISO 27001: The international standard for information security management

ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 emerged from the need to create a comprehensive, globally recognized framework for information security management. The standard's origins can be traced to the British Standard BS 7799 in the late 1990s and was first published in 2005. It is continuously updated to reflect technology advancements to address the complex challenges of global digital infrastructure. The standard provides a universal language for security practices, creates a standardized approach to risk management, and enables cross-border trust in information systems.

To meet the ISO 27001 standards, we had to show how we identify, assess, and mitigate security risks as part of a required technical framework. It includes a set of 114 controls across 14 different domains, which cover areas like access control, cryptography, several layers of security, and supplier relationships. Specifically, we displayed the following:

• Risk management methodology, aligned with ISO 31000, requiring that we systematically evaluate potential threats to our information assets and implement appropriate controls.
• An information security management system (ISMS) covering:
  • Asset management
  • Operational security controls
  • Cryptographic controls
  • Physical and environmental security
  • Incident management procedures

The ISO 27001 certification demonstrates that we have a comprehensive information security management system and can systematically manage and protect sensitive information. As a commitment to our customers, we’re adhering to this rigorous and internationally recognized best practice, and also providing a framework for continuous security improvement.

A cherry on top: The AWS Foundational Tech Review

As part of the AWS marketplace process, Amazon developed their Foundational Tech Review (FTR) to ensure that technology solutions meet the highest standards of cloud security and performance. FTR involves a comprehensive evaluation of Commerce Layer’s cloud-based solutions to determine if we meet the standard. After the evaluation, AWS concluded that Commerce Layer met the FTR architectural integrity standards, assuring operational excellence, and serving as a reference benchmark for cloud service reliability in the AWS marketplace. Their assessment included:

• Multi-region, high-availability infrastructure validation
• Comprehensive cloud security architecture review
• Advanced cloud native security implementation

We are very proud to be part of the AWS marketplace with the FTR distinctions, running AWS cloud services on two continents.

Conclusion: Building a holistic approach to digital trust…and we’re just getting started.

Commerce Layer's 2024 security certifications represent a comprehensive, multi-layered defense strategy that addresses the most critical aspects of digital security:

SOC 2: A rigorous, independent validation that ensures our service organization maintains the highest standards of security, availability, processing integrity, confidentiality, and privacy, providing customers with verifiable assurance of our robust internal controls.

PCI DSS: A critical certification that demonstrates our absolute commitment to protecting payment card data through comprehensive encryption, tokenization, and secure transmission protocols, ensuring the financial safety of every transaction processed through our platform.

ISO 27001: A globally recognized standard that validates our systematic approach to managing sensitive information, showcasing our ability to identify, manage, and continually improve our information security risks through a comprehensive and adaptive management system.

These certifications represent a fundamental approach to digital trust. In an era where data is the most valuable currency, we promise our enterprise customers that we will provide:

• Proactive threat prevention
• Continuous security evolution
• Transparent and verifiable protection mechanisms
• A partnership built on trust and technological excellence

Our commitment to security and to protecting what matters most is part of our vision that prioritizes trust, innovation, and customer confidence. If you have any specific questions about these concepts, please don’t hesitate to reach out to our CTO, Massimo Scardellato.