Are you prepared for the latest card payment security requirements? As of March 31, 2025, organizations must now comply with PCI DSS v4.0.1, an update to the Payment Card Industry Data Security Standard that changed a number of security best practices from recommended to mandatory. Beginning with version 4.0.1, new requirements emerged around continuous security, enhanced authentication, and protection against vulnerabilities, malware, and phishing.
AWS maintains Level 1 Service Provider PCI DSS compliance across many of its services, securing the underlying infrastructure, network, and software components. However, under the AWS Shared Responsibility Model, your organization is accountable for securing your applications and data on AWS. To achieve full PCI DSS compliance, you may need to implement additional security measures for your apps and data.
Starting with PCI DSS v4.0.1, the following security enhancements are now required:
Web application and API protection: PCI DSS v4.0.1 mandates continuous protection for all public-facing web applications and APIs, requiring solutions that detect, prevent, and generate alerts on attacks. It also calls for vulnerability scanning and maintaining an inventory of custom software, including APIs and third-party components (Requirements 6.2.4, 6.3.2, and 6.4.2).
Enhanced authentication: To prevent unauthorized access to sensitive payment data, multi-factor authentication (MFA) is now required for all access to the cardholder data environment (CDE), which encompasses any components that store, process, or transmit cardholder data (Requirement 8.4.2).
Security control monitoring and failure detection: Organizations must promptly detect and address failures of critical security control systems including intrusion detection/prevention systems and anti-malware solutions (Requirement 10.7).
Comprehensive vulnerability management: Regular and thorough vulnerability scanning of all public-facing applications and systems is required to identify exploitable vulnerabilities, even those deep within the software supply chain (Requirement 11.3.1).
Like AWS, F5 also offers services that are PCI DSS compliant as a Level 1 service provider. F5 solutions provide the additional security capabilities needed for PCI DSS v4.0.1 compliance on AWS:
F5 Distributed Cloud WAF and F5 BIG-IP Advanced WAF deliver comprehensive application security that inspects application traffic and blocks OWASP Top 10 threats, layer 7 distributed denial-of-service (DDoS) attacks, and malicious bots. F5's WAF solutions can be deployed in front of any application regardless of where it lives—on premises, on AWS, or across multiple clouds.
F5 Managed Rules for AWS WAF provide pre-configured security rulesets that enhance the protection capabilities of AWS WAF. This continuously updated protection guards against OWASP Top 10 threats, malicious bots, API-level attacks, and other vulnerabilities.
F5 Distributed Cloud API Security discovers and protects APIs, including continuous monitoring with behavioral analysis to detect anomalies and potential attacks.
F5 BIG-IP Access Policy Manager enables zero-trust application access using MFA to reach the cardholder data environment (CDE). It secures cardholder data in transit and enforces secure access to meet requirements.
F5 BIG-IP SSL Orchestrator decrypts traffic coming into your AWS environment and steers it through your security stack to detect threats. It monitors the health of security solutions and can quickly mitigate issues when a security control fails, preventing unintentional traffic bypass.
F5 Distributed Cloud Web App Scanning continuously scans your external attack surface, uncovering exposed applications and APIs. Through automated penetration testing, it identifies potentially exploitable vulnerabilities deep within your software supply chain.
By implementing F5 solutions alongside AWS security controls, you can:
With over a decade of partnership, F5 and AWS work together to simplify app delivery and security in the cloud. F5 solutions are available from the AWS Marketplace to easily add complete protection for sensitive payment card data. Learn more by visiting our F5 on AWS webpage.