PCI-DSS 4.0.1 Update: Major New API Security Upgrades Required for Customer Payment Processors
The latest PCI DSS (Payment Card Industry Data Security Standard) 4.0.1 update is significant, placing a greater emphasis on software supply chains including APIs and client-side scripts.
With the retirement of PCI DSS 3.2.1, organizations processing payments must adapt to the evolving landscape of modern, microservices-based applications, multicloud environments, and the increased implementation of APIs.
This blog post explores some of the critical new requirements introduced in PCI DSS 4.0.1 specifically aimed at safeguarding APIs, which have become integral to transactions across almost all industries and organizations.
The new mandates include:
- Pre-deployment testing 6.2.3: This emphasizes the rigorous review, testing, and secure development practices for bespoke and custom software, including APIs prior to release, to identify and correct code vulnerabilities.
- Protection against common threats 6.2.4: Organizations must implement controls to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software. The focus includes abuse of business logic, injection attacks (e.g., SQL, LDAP, XPATH, or other command, parameter, object, fault, etc.), and attacks on access control and data. All are critical in the protection of APIs.
- Inventory and insight into bespoke software 6.3.2: Businesses also must maintain the visibility and inventory of bespoke and custom software, including APIs and third-party components to facilitate vulnerability management and patching—ensuring a comprehensive security posture.
- Production visibility, threat detection, and testing 6.4.1 and 6.4.2: This update highlights the need for regular testing and continuous monitoring and protection of public-facing web applications and APIs against vulnerabilities, known attacks, and emerging threats. Among these requirements:
- Regular (at least annual) scanning and testing of public-facing web apps and APIs
- A technical solution, deployed in front of public-facing web apps and APIs, to detect and prevent web and API based attacks
Organizations face a March 2025 deadline to comply
The latest revisions to the PCI DSS 4.0 standard were released by the PCI Security Standards Council in June 2024 and are in response to business and technical transformations observed in recent years. These changes acknowledge the widespread adoption of APIs and evolution of the apps and infrastructure supporting a growing number of services and interactions powering today’s increasingly digital economy, including in-person, web, and mobile payment systems.
APIs represent a shift in the threat paradigm, with their own set of specific threats covered in the API OWASP TOP 10. They are susceptible to most of the same attacks and vulnerabilities as traditional web apps, but often expose business logic directly, making them an increasingly desirable target for attackers. And they demand a specific set of controls to protect data from unauthorized access, manipulation, or exposure to ensure privacy and maintain the trust of users and stakeholders, as well as to ensure the confidentiality, integrity, and availability of API communications.
A March 2025 deadline for organizations to comply underscores the urgency for businesses to align with these new specifications to safeguard APIs and their client-side scripts.
Some strategies for ensuring compliance
To meet PCI-DSS 4.0 standards effectively and protect their entire threat surface, organizations should evaluate their existing security infrastructure, processes, and capabilities, and consider implementing solutions that deliver the following:
- Comprehensive API discovery: This begins with integration with code repositories to build complete and accurate inventories and documentation directly from the source(s). But it also includes traffic-based analysis and domain crawling to identify shadow, zombie, unmanaged, and third-party APIs.
- Robust API testing: Such testing provides preproduction analysis of API code paired with dynamic testing of public-facing apps and APIs, delivering continuous identification of vulnerabilities with context and remediation guidance.
- Runtime protection: It necessitates in-line enforcement and control mechanisms to block, limit, and enforce proper API behavior. This does include WAF and other API-specific functionality to implement API protection rules, rate limiting, data masking, and schema enforcement capabilities to deliver a positive security model.
- Continuous monitoring and anomaly detection: Includes AI/ML based behavioral analysis and continuous traffic inspection of APIs to identify potential attacks, sensitive data exposure, and other abnormal API behavior that may indicate abuse or compromise of an API endpoint.
The update is substantial, but compliance doesn’t have to be daunting
PCI DSS 4.0.1's focus on API security signifies a crucial step toward safeguarding digital transactions in today's complex and ever evolving IT environments.
As the deadline approaches, proactive measures to enhance API security will be pivotal in achieving and maintaining compliance. They also will improve the resiliency of your infrastructure against cyber threats and attacks targeting APIs and client-side scripts, strengthen protection of your customers payment card data and information, and deepen trust and credibility of your organization with customers and regulatory bodies.
You can prepare your organization for PCI DSS 4.0.1 compliance by assessing your current API security practices, identifying gaps, and implementing necessary improvements. Stay informed about additional resources and guidance provided by PCI Security Standards Council to ensure readiness by March 2025.
This doesn’t have to be a daunting task. F5 has the expertise and solutions to help organizations assess and implement controls that align to the new requirements and enhance your web app and API security posture.
Check out this demo of F5’s complete API security in action and reach out to us today to set up a meeting with one of our experts.