Are you prepared for the latest card payment security requirements? As of March 31, 2025, organizations must now comply with PCI DSS v4.0.1, an update to the Payment Card Industry Data Security Standard that changed a number of security best practices from recommended to mandatory. Beginning with version 4.0.1, new requirements emerged around continuous security, enhanced authentication, and protection against vulnerabilities, malware, and phishing.
AWS maintains Level 1 Service Provider PCI DSS compliance across many of its services, securing the underlying infrastructure, network, and software components. However, under the AWS Shared Responsibility Model, your organization is accountable for securing your applications and data on AWS. To achieve full PCI DSS compliance, you may need to implement additional security measures for your apps and data.
“PCI DSS v4.0.1 mandates continuous protection for all public-facing web applications and APIs, requiring solutions that detect, prevent, and generate alerts on attacks.”
Meeting updated security requirements
Starting with PCI DSS v4.0.1, the following security enhancements are now required:
Web application and API protection: PCI DSS v4.0.1 mandates continuous protection for all public-facing web applications and APIs, requiring solutions that detect, prevent, and generate alerts on attacks. It also calls for vulnerability scanning and maintaining an inventory of custom software, including APIs and third-party components (Requirements 6.2.4, 6.3.2, and 6.4.2).
Enhanced authentication: To prevent unauthorized access to sensitive payment data, multi-factor authentication (MFA) is now required for all access to the cardholder data environment (CDE), which encompasses any components that store, process, or transmit cardholder data (Requirement 8.4.2).
Security control monitoring and failure detection: Organizations must promptly detect and address failures of critical security control systems including intrusion detection/prevention systems and anti-malware solutions (Requirement 10.7).
Comprehensive vulnerability management: Regular and thorough vulnerability scanning of all public-facing applications and systems is required to identify exploitable vulnerabilities, even those deep within the software supply chain (Requirement 11.3.1).
Add F5 solutions on AWS for complete PCI DSS coverage
Like AWS, F5 also offers services that are PCI DSS compliant as a Level 1 service provider. F5 solutions provide the additional security capabilities needed for PCI DSS v4.0.1 compliance on AWS:
F5 Distributed Cloud WAF and F5 BIG-IP Advanced WAF deliver comprehensive application security that inspects application traffic and blocks OWASP Top 10 threats, layer 7 distributed denial-of-service (DDoS) attacks, and malicious bots. F5's WAF solutions can be deployed in front of any application regardless of where it lives—on premises, on AWS, or across multiple clouds.
F5 Managed Rules for AWS WAF provide pre-configured security rulesets that enhance the protection capabilities of AWS WAF. This continuously updated protection guards against OWASP Top 10 threats, malicious bots, API-level attacks, and other vulnerabilities.
F5 Distributed Cloud API Security discovers and protects APIs, including continuous monitoring with behavioral analysis to detect anomalies and potential attacks.
F5 BIG-IP Access Policy Manager enables zero-trust application access using MFA to reach the cardholder data environment (CDE). It secures cardholder data in transit and enforces secure access to meet requirements.
F5 BIG-IP SSL Orchestrator decrypts traffic coming into your AWS environment and steers it through your security stack to detect threats. It monitors the health of security solutions and can quickly mitigate issues when a security control fails, preventing unintentional traffic bypass.
F5 Distributed Cloud Web App Scanning continuously scans your external attack surface, uncovering exposed applications and APIs. Through automated penetration testing, it identifies potentially exploitable vulnerabilities deep within your software supply chain.
Streamline security and compliance with F5
By implementing F5 solutions alongside AWS security controls, you can:
- Simplify compliance with comprehensive coverage for PCI DSS requirements, as well as audit logs and reporting.
- Reduce your risk of data breaches through advanced threat detection and prevention.
- Unify security posture for consistency across your entire hybrid or multicloud environment.
With over a decade of partnership, F5 and AWS work together to simplify app delivery and security in the cloud. F5 solutions are available from the AWS Marketplace to easily add complete protection for sensitive payment card data. Learn more by visiting our F5 on AWS webpage.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...