Issue
Customer is noticing their PCI scan is failing or returning an error which is preventing them from completing their compliance scans.
Resolution
It's common to see customers conducting PCI compliance scans to meet their audit requirements. However, customers need to understand that Heroku's Shield Private Space is the only environment rated to be PCI compliant. Customers need to upgrade/migrate their application from Common Runtime or Private Space to Shield Private Space to be fully PCI Compliant.
In doing so, the customer is only responsible for compliance scans at their application level since the underlying PaaS environment has been PCI audited and certified. As a provider, Salesforce conducts the PCI-ASV scan of the Shield Private Space environment. The relevant security and compliance reports for our customers are listed below.