Blog
AI & Automation

PCI-DSS Requirement 4 and Proxies: Why SSL Passthrough Matters for Payment Traffic

QuotaGuard Engineering
March 17, 2026
5 min read
Pattern

If your app processes payments through Stripe, Braintree, Adyen, or another gateway that requires IP whitelisting, you need a static IP. If you're on Heroku, Render, or another PaaS with rotating IPs, that usually means adding a proxy.

Here's the part that catches teams off guard: most proxies create a PCI compliance problem while solving the IP whitelisting problem.

How Standard Proxies Handle TLS

A typical proxy works by terminating your SSL connection. Your app sends encrypted traffic to the proxy. The proxy decrypts it, reads the request, re-encrypts it, and forwards it to the destination.

This means cardholder data exists in plaintext on the proxy server. Briefly. But it's there.

PCI-DSS Requirement 4.1 is specific about this: "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks." That applies to every hop. Every server that touches the traffic. Including your proxy.

When an assessor asks "Where does cardholder data get decrypted?" and the answer includes "on the proxy server," that's a finding.

SSL Passthrough: A Different Approach

QuotaGuard Shield uses SSL passthrough instead of SSL termination. Your app's TLS connection to the payment processor stays intact. Shield routes the encrypted traffic without unwrapping it.

The proxy sees encrypted bytes. It routes them. It never decrypts. Cardholder data never exists in plaintext on our servers.

When your PCI assessor asks about decryption, the answer is clean: "The proxy uses SSL passthrough. It never terminates the TLS connection. Cardholder data is encrypted end-to-end."

Two Problems, One Fix

Teams processing payments on a PaaS typically need two things from their infrastructure. First, static IPs for payment gateway whitelisting. Second, encryption compliance for PCI-DSS.

Shield provides both. You get two load-balanced static IPs with automatic failover. Same reliability as QuotaGuard Static. Plus SSL passthrough that maintains encryption integrity.

Shield starts at $29 per month. You get the static IPs, the SSL passthrough architecture, and the compliance guarantee.

Where This Comes Up

The typical scenario: a SaaS company runs a subscription service. Users enter card details. The app makes requests to a payment processor. The processor requires whitelisted IPs.

Without Shield, there are three options. Run a dedicated server (expensive, doesn't scale). Use a standard proxy (creates the PCI gap described above). Or skip IP whitelisting entirely (which means you're not using your processor's security features).

Shield is a fourth option that handles both requirements at once.

For older payment systems that use raw TCP instead of HTTPS, QGTunnel provides transparent TCP tunneling through Shield. Same static IPs, same encryption benefits, for non-HTTP protocols.

What PCI Assessors Focus On

During a PCI assessment, the infrastructure diagram gets scrutinized. Assessors ask where sensitive data gets stored and where it gets decrypted. If you have a proxy in your architecture, they want to know how it handles encryption.

With Shield, you describe SSL passthrough. You explain that the proxy never terminates TLS. You show that cardholder data is encrypted from your app to the processor. The assessor documents it and moves on.

Regional Data Residency

Some companies need traffic locked to specific regions. GDPR requirements for EU customers, or data sovereignty rules in specific jurisdictions.

Shield supports this as a $899/month add-on. You can keep all traffic within the US or within the EU. No cross-continental hops.

Testing It

You can verify the setup yourself at https://ip.quotaguard.com. It shows the static IP your traffic exits from. Set up Shield, route a test request through it, and confirm the IP is consistent.

Getting Started

If you're processing payments through a proxy and you're not sure how your current setup handles TLS, it's worth checking before your next PCI assessment.

Sign up for Shield and test it with your payment processor. The setup takes about 20 minutes. You can verify the SSL passthrough behavior and static IP assignment before committing to anything.

QuotaGuard Static IP Blog

Practical notes on routing cloud and AI traffic through Static IPs.

AI & Automation

Static IP on No-Code Platforms: Why Some Work and Some Don't

Uses a real support ticket as the anchor to explain why some no-code platforms work with QuotaGuard and others don't, and gives no-code builders a practical way to evaluate their own platform before they spend time on setup.
QuotaGuard Engineering
March 16, 2026
5
min read
AI & Automation

Why Your Legitimate Cloud App Gets Blocked as a Bot (And How to Check)

Explains why legitimate cloud apps on AWS, Heroku, Render, and similar platforms get blocked by firewalls and anti-bot systems due to shared IP reputation, walks through real diagnostic tools to verify the problem, and shows the fix.
QuotaGuard Engineering
March 16, 2026
5
min read
Product Updates

Proximo Down Again? Migrate to a Static IP Proxy That Has Support

When Proximo goes down, Heroku customers lose production traffic with no support line to call. This post covers why QuotaGuard is the direct replacement and how to migrate in under 30 minutes.
QuotaGuard Engineering
March 10, 2026
5
min read
Tutorials & Integration Guides

Connect a Heroku App to AWS RDS with a Static IP

Heroku apps use rotating dynamic IPs that can't be allowlisted in AWS RDS security groups. This guide shows how to route Heroku outbound traffic through a static IP so you can lock your RDS instance to two fixed addresses.
QuotaGuard Engineering
March 10, 2026
5
min read
AI & Automation

Retool Static IP: Connect Retool to Firewalled Databases and APIs

Retool Cloud runs on dynamic shared IPs that get blocked by database security groups and IP-allowlisted enterprise APIs. This guide shows how to give Retool a fixed outbound IP using QuotaGuard, covering both Cloud and self-hosted deployments.
QuotaGuard Engineering
March 10, 2026
5
min read
AI & Automation

Railway Static IP: Fixed Egress for Railway Apps in 10 Minutes

Railway apps run on shared cloud infrastructure with rotating IPs. This guide shows how to assign a fixed static IP to Railway services using QuotaGuard, covering HTTP proxy setup, database connections, and Shield for inbound traffic.
QuotaGuard Engineering
March 10, 2026
5
min read
Tutorials & Integration Guides

Static Egress IP for DigitalOcean Kubernetes (DOKS): Three Options Compared

Honest comparison of DigitalOcean Kubernetes egress IP options: native VPC NAT gateway, egress Droplet with Reserved IP, and QuotaGuard proxy. Includes setup steps, real pricing, and inbound IP coverage for webhook scenarios.
QuotaGuard Engineering
March 6, 2026
5
min read
AI & Automation

Google Cloud Run Static IP: Why Cloud NAT Causes Timeouts (and the Simpler Fix)

Google Cloud Run doesn't give your functions a static egress IP. Cloud NAT works but causes connection timeouts. Here's why, and a simpler fix that takes 2 minutes.
QuotaGuard Engineering
March 5, 2026
5
min read
AI & Automation

n8n Cloud Static IP: Fixed Egress in 10 Minutes

n8n Cloud uses dynamic outbound IPs by default, which breaks integrations that require firewall allowlisting. This guide shows how to route n8n HTTP Request node traffic through a QuotaGuard static IP proxy, get a fixed egress address in under 10 minutes, and permanently solve the allowlisting problem without leaving n8n Cloud.
QuotaGuard Engineering
March 5, 2026
5
min read
Tutorials & Integration Guides

AWS Lambda Static IP Without NAT Gateway: Save $70+/Month

How to give AWS Lambda a static IP without a NAT Gateway. Skip $70+/month in infrastructure costs with a two-minute proxy configuration. Available directly on the AWS Marketplace
February 26, 2026
5
min read
AI & Automation

Your Replit App's IP Address Changes Every Deployment. Here's the Fix.

Replit assigns a new outbound IP on every deployment, breaking firewall rules and database connections. Here is how to fix it with a static IP proxy in under 5 minutes.
QuotaGuard Engineering
February 25, 2026
5
min read
Tutorials & Integration Guides

How to Route PyMongo Through a SOCKS Proxy on PythonAnywhere, Netlify, and Other Platforms That Restrict Custom Binaries

Running PyMongo on PythonAnywhere, Netlify, or another platform that blocks custom binaries? Here's the pure-Python SOCKS5 setup that works, including the mongodb+srv and SOCK_CLOEXEC gotchas that will silently break it if you miss them.
February 20, 2026
5
min read
Tutorials & Integration Guides

Why Your MongoDB Connection Is Eating Your SOCKS Proxy Bandwidth (And How to Fix It)

Seeing unexpected bandwidth usage on your SOCKS proxy with MongoDB? Learn how replica set heartbeats accumulate through proxy tunnels and three practical steps to reduce your footprint.
QuotaGuard Engineering
February 19, 2026
5
min read
AI & Automation

How to Add Static IPs to Apps Built with Emergent AI

Route outbound traffic from Emergent-hosted apps or exported code through fixed IPs to connect to firewalled databases, payment APIs, and enterprise systems.
QuotaGuard Engineering
February 17, 2026
5
min read
QuotaGuard's Journey

Heroku Is Entering "Sustaining Engineering" Mode. Here's What That Means for Your Static IPs.

Heroku is entering sustaining engineering mode. Your apps still run. Your static IPs still work. And if you migrate, your QuotaGuard IPs go with you.
QuotaGuard Engineering
February 16, 2026
5
min read
Tutorials & Integration Guides

QGTunnel: Static IPs for Database Connections, FTP, SFTP, and Other TCP Traffic

QGTunnel routes non-HTTP traffic like database connections, FTP, and SFTP through static IPs without changing your connection strings. Here's how it works and how to set it up.
QuotaGuard Engineering
February 14, 2026
5
min read
AI & Automation

PCI-DSS Requirement 4 and Proxies: Why SSL Passthrough Matters for Payment Traffic

QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

HIPAA-Compliant Static IPs: How SSL Passthrough Keeps PHI Encrypted in Transit

Healthcare applications need to send encrypted data to external APIs, but regular proxies decrypt traffic mid-stream, violating HIPAA. QuotaGuard Shield uses SSL passthrough to maintain end-to-end encryption while providing compliant static IPs.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

The Real Cost of Static IPs: NAT Gateway vs. Proxy Service vs. Rolling Your Own

AWS NAT Gateway costs $45/month per AZ plus data transfer fees. A static IP proxy starts at $19/month with no hidden charges. Here's when each option makes sense.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Static IPs on Netlify and Railway: What's Available and What's Not

Netlify has no static IPs at all. Railway offers shared ones on Pro plans. If your database or API requires dedicated IP whitelisting, here's what to do on both platforms.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Render's /24 Static IP Range: When 256 Addresses Is Too Many

Render gives you a /24 range with up to 256 IPs for outbound traffic. Most APIs only let you whitelist one or two. Here's how to get dedicated static IPs on Render.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Heroku's Rotating IPs: How to Get a Static IP Without Private Spaces

Heroku dynos rotate IPs constantly across AWS ranges. If your banking API, SQL Server, or SFTP vendor needs a whitelisted IP, here's how to get a static one without Private Spaces.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Serverless Functions and IP Whitelisting: The 0.0.0.0/0 Trap

Vercel, Lambda, and Cloud Functions don't have static IPs. Most teams cave and whitelist 0.0.0.0/0 in MongoDB Atlas. That opens your database to the entire internet. Here's the fix.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Make/Integromat and IP Whitelisting: Why Zone Detection Isn't Enough

Make rotates through 3 shared IPs per zone across thousands of users. Zone detection doesn't solve the whitelisting problem. Here's what actually works.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

n8n Cloud and Static IPs: How to Whitelist When You Have 22 Rotating Addresses

n8n Cloud gives you 22 rotating IPs that can change anytime. If your API vendor or SFTP server needs a static IP for whitelisting, here's how to fix it in five minutes.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Zapier and Static IPs: How to Whitelist a Zap Without Opening Your Firewall to All of AWS

Zapier doesn't have a static IP. It runs on AWS us-east-1 with millions of shared addresses. Here's why whitelisting the entire range is a security nightmare and what to do instead.
QuotaGuard Engineering
February 13, 2026
5
min read
Tutorials & Integration Guides

How to Fix Ruby DNS Resolution Errors When Using QGTunnel with Third-Party APIs

If you're using QGTunnel in transparent mode for database connections and seeing Socket::ResolutionError when calling APIs like Mailchimp, the fix is to disable transparent mode. This guide walks through the cause and the 5-minute solution.
QuotaGuard Engineering
January 29, 2026
5
min read
Tutorials & Integration Guides

How to Get a Static IP for Gigalixir Apps

Learn how to get static outbound IPs for Gigalixir apps. Code examples for HTTPoison, Req, Finch, and Tesla. Connect to firewalled databases and APIs.
QuotaGuard Engineering
January 19, 2026
5
min read
Tutorials & Integration Guides

How to Get a Static IP for Render Apps

Render provides shared CIDR ranges for outbound IPs, but many firewalls and databases require individual static IPs. This guide compares native options with proxy services and shows how to connect Render apps to MongoDB Atlas and other firewalled resources.
QuotaGuard Engineering
January 15, 2026
5
min read
Tutorials & Integration Guides

How Do I Get a Static IP for Fly.io Apps?

Learn how to get a static IP for Fly.io apps. Compare native egress IPs vs QuotaGuard proxy. Includes code examples for Node.js, Python, Elixir, and Go.
QuotaGuard Engineering
January 13, 2026
5
min read
Tutorials & Integration Guides

How to Fix 403 Forbidden Errors in n8n HTTP Request Nodes (The Static IP Fix)

Is your n8n AI agent getting blocked? If you are seeing 403 Forbidden or ECONNREFUSED errors, the problem isn't your code, it's likely your IP address. Learn why "noisy" cloud IPs get flagged and how to fix it in 2 minutes using n8n's native proxy settings.
QuotaGuard Engineering
December 8, 2025
5
min read
Tutorials & Integration Guides

SSL Passthrough vs SSL Offloading: A Quick Primer

Understand the critical differences between SSL Passthrough, SSL Offloading, and SSL Termination. Learn which method ensures end-to-end zero-knowledge encryption for compliance versus which optimizes performance by decrypting traffic at the load balancer.
QuotaGuard Engineering
December 4, 2025
5
min read
Security & Compliance

US and EU Data Residency for Static IP Proxy Traffic

Does your security team prohibit traffic from leaving the EU or US? Learn how QuotaGuard’s Data Residency add-on locks your static IPs and logs to a single region, simplifying your audits for SOC 2, HIPAA, and GDPR.
QuotaGuard Engineering
October 4, 2025
5
min read
Product Updates

Introducing U.S. Data Residency: Keep Your Proxy Traffic Fully Within U.S. Borders

Meet strict localization requirements with our new U.S. Data Residency option. Route all proxy traffic and logs exclusively through U.S. infrastructure to align with government contracts, HIPAA, and SOC 2 standards.
QuotaGuard Engineering
October 4, 2025
5
min read
Product Updates

QuotaGuard Now Live in 10 AWS Regions – Including Singapore and Mumbai!

QuotaGuard is now live in 10 AWS regions, including new launches in Singapore and Mumbai. Reduce latency and improve performance for your global workloads by routing static IP traffic through infrastructure closer to your data.
QuotaGuard Engineering
October 4, 2025
5
min read
Product Updates

QuotaGuard Expands: Early Access to Heroku’s Next-Gen Fir Platform

QuotaGuard is testing early access to Heroku's next-gen Fir platform. We are ensuring full compatibility so you can migrate your static IP workflows seamlessly as Heroku modernizes its infrastructure for better scalability and performance.
QuotaGuard Engineering
October 4, 2025
5
min read
View all

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.

Start Free TrialTalk to an Engineer