Cybercrime has grown and will continue to do so due to readily available automation tools and stolen credentials making attacking applications for profit quite simple. This, in turn, has driven greater industry and government security standards to ensure compliance and trust. An example of such industry security standard is Payment Card Industry Data Security Standard (PCI-DSS), with the release of the v4 requirements. One of the goals of the release is to update the overall protection schema for client-side security.
PCI-DSS is a critical standard as it enables payment processors and service providers to trust and protect each other. To meet the growing needs of electronic transactions, various merchants and service providers have migrated their applications to cloud-based infrastructure to ensure scalable, low-latency operations. PCI-DSS compliance standards apply to all electronic transactions, regardless of what infrastructure merchants and service providers use to process payments. PCI-DSS covers network security, data encryption, and management but does not address protecting applications (and data) from automated attacks.
In order to protect cloud-based applications and data from automated (or manual) attacks, payment processors and merchants rely on third-party security service providers to deliver distributed protection for applications and data. PCI-DSS certification of a SaaS security vendor is critical for the payment issuers to maintain compliance and trust of other vendors that they are connected and transact business with. A Security-as-a-Service vendor without PCI-DSS compliance makes it much harder for payment issuers to maintain or prove compliance and continued trust with third-party organizations they are connected with for payment processing.
From the PCI-DSS glossary, a service provider is a business entity that is not a payment brand directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, intrusion detection systems, and other services as well as hosting providers and other entities.
F5 Distributed Cloud (XC) Bot Defense is a SaaS solution that protects applications from automated attacks and meets PCI-DSS compliance requirements as a service provider. F5 XC Bot Defense provides security for payment issuers and alike against automated attacks for a wide range of industries such as financial services, retail and eCommerce, healthcare, and governments across the globe.
A good example of how F5, as a service provider, is able to meet PCI-DSS compliance requirements is strict adherence (policy, operation, and documentation) to PCI requirements listed below:
1.3 Network access to and from the cardholder data environment (CDE) is restricted.
1.3.1 Inbound traffic to the CDE is restricted as follows:
- To only traffic that is necessary.
- All other traffic is specifically denied.
1.3.2 Outbound traffic from the CDE is restricted as follows:
- To only traffic that is necessary.
- All other traffic is specifically denied.
1.4.1 NSCs are implemented between trusted and untrusted networks.
1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
- Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
- Stateful responses to communications initiated by system components in a trusted network.
- All other traffic is denied.
1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.
As a PCI-DSS service provider, F5 must not only meet PCI-DSS requirements but build on them to readily secure distributed applications and data from automated attacks that can quickly scale up and/or mutate.
To find out more about how F5 Distributed Cloud Bot Defense can not only protect your applications and data from attack but also streamline your PCI-DSS compliance process, check out:
- New PCI DSS v4.0 Requirements Address Browser-based Attacks
- Meet PCI Mobile Security Compliance with App Shielding
- F5 Distributed Cloud Bot Defense
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...