Payment Card Industry Data Security Standard (PCI DSS)
F5 Distributed Cloud Services are PCI-DSS Compliant as a Level 1 Service Provider
The Payment Card Industry Data Security Standard (PCI DSS) encourages and enhances payment card account data security and facilitates a broader adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing — including merchants, processors, acquirers, issuers, and other service providers.
Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing, and transmitting credit card data. In turn, PCI DSS compliance fosters trust among customers and stakeholders.
PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks. The below table lists the PCI DSS requirements at a high level, F5 qualifies as Level 1 Service Provider and while it does not process, store, or transmit CHD/SAD; it could impact the security of the cardholder data environment (CDE) of our customers.
| PCI DSS Security Standard - High Level Overview |
|
|
|||
|---|---|---|---|---|---|
| Build and Maintain a Secure Network and Systems | 1. Install and Maintain Network Security Controls 2. Apply Secure Configurations to all System Components. |
||||
Protect Account Data |
3. Protect Stored Account Data. 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks. |
||||
| Maintain a Vulnerability Management Program | 5. Protect All Systems and Networks from Malicious Software. 6. Develop and Maintain Secure Systems and Software. |
||||
| Implement Strong Access Control Measures | 7. Restrict Access to System Components and Cardholder Data by Business Need to Know. 8. Identify Users and Authenticate Access to System Components. 9. Restrict Physical Access to Cardholder Data. |
||||
| Regularly Monitor and Test Networks | 10. Log and Monitor All Access to System Components and Cardholder Data. 11. Test Security of Systems and Networks Regularly. |
||||
| Maintain an Information Security Policy | 12. Support Information Security with Organizational Policies and Programs.
|
||||
Source: Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0
FAQ
What personal data does F5 process for its customers?
For many services, F5 acts as a “processor” (not a controller) of the personal data required to provide a service. Details about the personal data that F5 processes are listed on the Privacy Statements for each service. Find all service-specific Privacy Statement links on the introduction of F5’s Privacy Notice at https://www.f5.com/company/policies/privacy-notice.
What specific security measures does F5 provide for personal data?
F5 and its services prioritize the protection of personal data and uphold the highest standards of data privacy. The technical and organizational controls that protect personal data collected by F5 are listed in the specific service contracts (for example, the Service-Specific Terms applicable to services provided under our End User Services Agreement) and in F5's SOC2 Type II report. F5 Global Support is ISO 27001 certified and F5 Distributed Cloud Services are ISO 27001 certified with an extension of ISO 27017 and ISO 27018. F5 is also PCI-DSS Compliant as a Level 1 Service Provider for the F5 Distributed Cloud Services. Additional security certifications apply to specific F5 services and F5 hardware. Find more detailed information about data security practices at https://www.f5.com/company/policies/privacy-notice.
