Substantially reduce your PCI DSS control burden through inherited infrastructure

For most engineering leaders, a PCI DSS audit is a "feature freeze" in disguise. 

It is a period where your most expensive talent stops shipping product to spend weeks gathering screenshots, verifying firewall rules, and proving that staging environments match production.

This manual evidence gathering is a symptom of a "build-it-yourself" infrastructure trap. When you build on top of raw infrastructure, you are responsible for everything from operating system hardening to network isolation.

At Upsun, we advocate for a different model: Inherited Compliance. 

By moving to a secure-by-default cloud application platform, you offload the vast majority of physical and network control requirements, leaving your team to focus only on the security of their own code.

Automated patch deployment and traceability

Upsun reduces the overhead of manual infrastructure maintenance through automated patch deployment with documented validation and change traceability. 

We deploy critical security updates across your infrastructure, ensuring you maintain a strong security posture without the manual operational burden typically required to stay compliant.

The shared responsibility model for PCI DSS

Compliance is never "plug and play," but it can be partitioned. To move fast, you must understand the line between your responsibility and ours.

• What Upsun manages: 
  We secure the "Cloud of the Platform." This includes strict project isolation and hardware lifecycle management. Every deployment and configuration change is automatically logged, giving you a complete audit trail built into every environment.
• What you manage: 
  You secure the "Security in the Platform." This includes your application code, user access levels (RBAC), and how you handle sensitive cardholder data (CHD) within your logic. While our infrastructure is PCI-hardened, we strongly encourage using third-party processors for cardholder activity to further shrink your audit surface.

By deploying on PCI-certified Dedicated Clusters, you start your audit with the vast majority of infrastructure-level controls already verified and documented by the platform.

Note that while Upsun provides a globally standardized experience, PCI certification currently excludes the FR-1 and FR-3 regions. Always verify your region's compliance status before initializing a PCI-scoped workload.

Eliminating compliance drift with .upsun/config.yaml

The primary reason companies fail audits is "drift." A developer opens a port for a quick test, or a staging server is configured differently than production.

Upsun solves this by treating your infrastructure as version-controlled code. 

Your entire environment stack, including your PostgreSQL or Redis instances, is defined in your .upsun/config.yaml file.

• Integrated Edge Security: 
  You can define your perimeter directly in code, managing the Upsun WAF or Fastly WAF settings to protect against OWASP Top 10 threats.
• Identical environments: 
  When you create a preview environment, it is a perfect byte-for-byte clone of your production infrastructure. You can verify your security controls in a sandbox that behaves exactly like the live site.
• Auditable history: 
  Your auditors do not need to hunt through a web console. They can review the Git history of your .upsun/config.yaml to see exactly when and why a routing rule was changed.

Multi-cloud portability without the security tax

Standardizing on Upsun doesn't just simplify compliance; it protects your optionality. 

One of the biggest risks for a CTO is "compliance lock-in," where moving from one cloud provider to another requires a total rewrite of your security policies.

Upsun provides a consistent management layer. 

Whether you initialize your project on AWS, GCP, or Azure, your deployment workflow and security configuration remain identical. You get the power of a multi-cloud strategy with the simplicity of a single, compliant interface.

Next step: define your compliance boundary

Don't wait for your QSA to find a gap. Transitioning to a managed platform is a strategic way to streamline your compliance workflows and accelerate your release cycles.

1. Audit your scope: 
   Visit the Upsun Trust Center to access our PCI DSS Level 1 Attestation of Compliance (AoC) and map our controls to your internal audit requirements.
2. Initialize your config: 
   Use upsun init to see how easily your current stack can be codified into a secure configuration file.
3. Consult an Architect: 
   If you are migrating a legacy stack to a PCI-certified cluster, contact our solutions engineering team for a technical mapping session to review your architecture.