F5 Helps You Address the New PCI DSS v4.0 Requirements

In PCI DSS v3.2.1, organizations had the option to protect public-facing web applications manually or with automated application vulnerability security assessment tools at least annually or after significant application changes. Or they could opt to install an automated solution in front of any publicly facing web application to continually detect and prevent web-based attacks, configured to block or generate alerts on attacks. But PCI DSS v4.x will require organizations to deploy a solution in front of public-facing web applications to continually detect, prevent, and generate an alert on web-based attacks (PCI DSS v4.0 subsection 6.4.2).

That is exactly what a web application firewall (WAF) does. A WAF is installed in front of publicly facing applications to check application traffic, detecting and protecting against any web-based attacks. A WAF prevents application layer attacks, including attacks that may exploit common and unknown vulnerabilities in applications and their software supply chain—the core code, third-party libraries, build tools, and other code that compose today’s complex, sophisticated applications. WAFs also protect against attacks attempting to exploit implementation or configuration flaws and automated attacks against payments, credentials, and installed applications.

F5 secures any application and API anywhere. Our WAF solutions can be deployed in front of any application, regardless of where the application lives. Whether you need a WAF to protect applications that are on premises or in data centers or in the cloud, F5 has a WAF solution that will deliver comprehensive application layer security and protection from exploits and attacks. F5 WAF is available as an appliance, in software, or in the cloud via self-service or managed service, securing containerized applications and Kubernetes, and more.

F5 products are certified as a Level 1 PCI DSS service provider. A service provider, as defined by PCI SSC, is an organization that does not provide branded payment cards or other form factors, but does process, store, or transmit cardholder data or sensitive authentication data for another organization. Companies delivering services to control or impact security of cardholder data or sensitive authentication data, like F5 through F5 Distributed Cloud Services, are also classified service providers of PCI DSS v4.0. F5 product features help our customers meet PCI DSS requirements as merchants, defined by the PCI SSC as any entity that accepts payment cards bearing the logos of any participating payment branded as payment for goods and/or services.

F5 Distributed Cloud Services provide numerous services that address many sections and subsections of the PCI DSS v4.0 standard for organizations that store, process, or transmit payment card data.

F5 Distributed Cloud WAF secures apps anywhere—across clouds, data centers, and edge locations. As an intermediate proxy, Distributed Cloud WAF inspects application requests and responses, blocking and mitigating risks, including the OWASP Top 10 categories, threat campaigns, malicious users, layer 7 DDoS threats, bots and automated attacks, to list a few. It mitigates web application attacks and vulnerabilities through comprehensive, consistent security controls and policies, with observability that is easy to configure, deploy, manage, and scale. F5 Distributed Cloud WAF simply and seamlessly integrates protection into your app development process enabling faster, more secure application delivery and release cycles. By utilizing signature- and AI-based detection techniques with automated signature tuning, F5 Distributed Cloud WAF delivers fast, simple application layer security with maximum efficacy. The new AI assistant within Distributed Cloud Services aids in simplifying security for distributed apps and APIs through a natural language interface with real-time insights, actionable recommendations, and a summary of data reports.

F5 NGINX App Protect is a lightweight, high-performance WAF designed to protect APIs and modern applications across distributed architectures and hybrid environments with consistent protection. Platform-agnostic, NGINX App Protect seamlessly integrates within your application development process, detecting and securing against application attacks, including layer 7 denial-of-service (DoS) attacks and bots. A powerful, low-latency app security solution, NGINX App Protect enables you to scale app security in Kubernetes clusters and the cloud, helping to significantly reduce your compute costs. It delivers a multi-layered defense, mitigating active cyberattack campaigns and surpassing OWASP Top 10 category protection.

F5 BIG-IP Advanced WAF is F5’s flagship web application firewall. The detection and mitigation in the award-winning Advanced WAF serves as the engine for Distributed Cloud WAF and NGINX App Protect. With behavioral analytics, layer 7 DoS mitigation, application layer encryption of sensitive data, and threat intelligence services, BIG-IP Advanced WAF protects applications across distributed, hybrid environments from an array of application attacks. BIG-IP Advanced WAF provides a dedicated, dynamic dashboard that quickly, simply ensures security from threats listed in the OWASP Top 10. BIG-IP Advanced WAF includes guided configurations for common WAF use cases, a learning engine, and allows granular policy customization of security policies. 

In addition, F5 can address more areas applicable to the PCI DSS v4.0 standard.

• APIs are a key component of nearly all transactions across industries and organizations. PCI DSS v4.0.1 introduces several new requirements meant to protect and secure APIs as part of tailored and custom software. F5 Distributed Cloud API Security helps address many of these new requirements, delivering controls safeguarding APIs that also help prevent or mitigate common software attacks and vulnerabilities. For greater insight into the API security requirements found in PCI DSS v4.0.1, please read Ian Dinno’s blog, PCI DSS 4.0.1 Update: Major New API Security Upgrades Required for Customer Payment Processors, and look for a new blog in early 2025 with additional details.
• F5 Distributed Cloud Web App Scanning dynamically and continuously scans your external attack surface, uncovering exposed web applications and APIs. Through its automated penetration testing capabilities, Distributed Cloud Web App Scanning identifies and reports potentially exploitable vulnerabilities, even those deep within your software supply chain. It helps you better secure your apps and APIs from attack and exploit. Distributed Cloud Web App Scanning also helps you address PCI DSS v4.0 subsection 6.3.2.
• F5 Distributed Cloud Mobile App Shield seamlessly protects your mobile apps from malware, bots, data leakage, unauthorized access, and man-in-the-middle (MiTM) attacks that results in compliance violations, financial loss, customer churn, and reputational harm. Distributed Cloud Mobile App Shield delivers unmatched runtime and at rest protection to proactively harden your mobile apps, prevent tampering, block bad bots, data exfiltration, and API abuse.
• PCI DSS v4.0 subsection 8.4.2 mandates that multi-factor authentication (MFA) be implemented for all access to the Cardholder Data Environment (CDE), which may be comprised of system components that store, process, or transmit cardholder data or sensitive authentication data, or have unrestricted connectivity to those systems. F5 BIG-IP Access Policy Manager (BIG-IP APM) enables zero trust application access, which includes limiting access to applications and data according to privilege based on any number of factors, including date and time. BIG-IP APM can secure cardholder data and sensitive authentication data in transit. It also allows step-up authentication, which would require defined users—such as those accessing the CDE or remote users—to enter a different set of authentication credentials than those they used for initial access, including different MFA credentials.
• To detect and promptly address failures of critical security control systems, including IDS / IPS and anti-malware solutions, there’s F5 BIG-IP SSL Orchestrator. BIG-IP SSL Orchestrator provides encrypted threat protection by decrypting encrypted traffic and steering the decrypted traffic through your existing security stack via customizable dynamic service chains. It also load balances the traffic to solutions in your security stack, monitors the health of all solutions in your security stack, and can manage the updating of ciphers for your security solutions. Plus, if one of your security solutions goes offline, you can quickly mitigate the danger via BIG-IP SSL Orchestrator’s dynamic service chains, enabling you to bypass the offline solution and mitigate any detrimental impacts, like unintentional traffic bypass. And when you need to swap out a security solution, BIG-IP SSL Orchestrator efficiently addresses security service changes and insertions, seamlessly transferring decrypted traffic for inspection without interrupting traffic flow. BIG-IP SSL Orchestrator will help you address PCI DSS v4.0 subsections 10.7.2, 10.7.3, and 11.5.1.1.