With Adobe Commerce, powered by Magento, security over consumer data and finances is something your business can control.


All of your data, out of harm’s way

Consumers and B2B buyers expect you to know enough about them to make their shopping experiences unforgettable. But they also trust you to protect their most sensitive data. With cyberthreats at every turn, keeping your commerce data safe is easier said than done.

Adobe Commerce is PCI-certified as a level 1 Solution Provider. That means merchants using our solution can use PCI Attestation of Compliance to support their own PCI certification process. With Adobe, you can conduct your online business with confidence using tools like security scanning, which lets you keep tabs on your sites and get updates about security risks, malware, and unauthorized access. With our active global developer community, you can rest assured your security defenses are always up to date against current and emerging threats.

Create safe websites

Consumer’s browser

Consumers are better protected using HTTPS on your site. Checkout and account pages are always secured using HTTPS, however we recommend you secure all the pages on your site with HTTPS (using either a shared SSL certification or the customers own SSL certificate for an additional fee.
Content delivery network (CDN) & DDoS protection
Fastly provides CDN and DDoS protection from Layer 3 through Layer 7. The Fastly CDN helps to isolate direct access to the origin server, and the public DNS only points to its network. The Fastly DDOS solution protects against highly disruptive Layer 3 and Layer 4 attacks, and more complex Layer 7 attacks. Layer 7 attacks can be blocked using custom rules based on the entire HTTP / HTTPS request, and based on client and request criteria including headers, cookies, request path, and client IP, or indicators like geolocation.
Web application firewall (WAF)
The Fastly web application firewall (WAF) is used to provide additional protection. Fastly’s cloud based WAF uses third-party rules from commercial and open source sources, including the OWASP Core Ruleset and Commerce-specific rules. Customers are protected from key application-layer attacks, including known injection attacks and malicious inputs, cross site scripting, data exfiltration, HTTP protocol violations, and other OWASP Top 10 threats. WAF rules are updated as new vulnerabilities are identified. Commerce can then “virtually patch” security issues in advance of software patches.
Virtual private cloud
The Adobe Commerce Cloud Pro production environment is configured as a virtual private cloud (VPC) so that all 3 production servers are isolated and have limited ability to connect in and out of the cloud environment. Only secure connections to the cloud servers are allowed. Secure protocols like SFTP or rsync can be used for file transfers. Customers can use SSH tunnels to secure communications with the application. All connections to these servers are controlled using cloud security groups, a virtual firewall that limits connections to the environment. Customers’ technical resources may access these servers using SSH.

Test and encrypt

Penetration testing
Adobe conducts regular penetration tests of the core Adobe Commerce instance on cloud application. For any custom applications or extensions, the merchant or partner is responsible for their own penetration testing.
Payment gateway
Adobe Commerce requires payment gateway integrations where credit card data is passed directly from the consumer’s browser to the payment gateway. For such payment extension, the data from the card is not stored in the Commerce production environment.
Commerce application

Adobe Commerce regularly tests the core application code for security vulnerabilities. Patches for defects and security issues are provided to customers. The Commerce Product Security Team validates Commerce products following OWASP application security guidelines. Several security vulnerability assessment tools and external vendors are used to test and verify compliance. The full code base is scanned with these tools on a periodic basis.

Customers are notified of security patches via direct emails, notifications in the application, and in the Commerce Security Center, and must ensure that these patches are applied to their customized application within 30 days of release according to the PCI guidelines. Commerce also provides a security scan tool that enables merchants to regularly monitor their sites and receive updates about known security risks, malware, and unauthorized access. Security Scan is a free service and can be run on any version of Adobe Commerce.

Amazon Elastic Block Store (EBS) is used for storage. All EBS volumes are encrypted using the AES-265 algorithm. This means that the data will be encrypted at rest. The system also encrypts data in transit between the CDN and the origin, and between the origin servers. Customer passwords are stored as hashes. Sensitive credentials, including those for the payment gateway, are encrypted using the SHA-256 algorithm. The Adobe Commerce application does not support column or row level encryption or encryption when the data is not at rest, or not in transit between servers.

Create safe websites

Read-only file system
All the executable code is deployed as a read-only Squash FS image to prevent attack to the environment. And because the filesystem is read-only, it dramatically reduces opportunities to inject PHP or JavaScript code into the system or modify the Commerce application files.
Remote deployment
The only way to get executable code into the Adobe Commerce production environment is to run it through a provisioning process. This involves pushing source code from your source repository into a remote repository that initiates a deployment process. Access to that deployment target is controlled so you have complete control over who can access the deployment target. All deployments of application code to the production environment are controlled by the customer.


Better understand, and align your organization around, the KPIs that matter for success.


All cloud activities from Linux, application server, and database logs are all stored on the production servers and in backups. All source code changes are recorded in a Git repository. Deployment history is available in the Adobe Commerce Cloud user interface. All support access is logged, and support sessions are recorded.