The latest PCI DSS (Payment Card Industry Data Security Standard) 4.0.1 update is significant, placing a greater emphasis on software supply chains including APIs and client-side scripts.
With the retirement of PCI DSS 3.2.1, organizations processing payments must adapt to the evolving landscape of modern, microservices-based applications, multicloud environments, and the increased implementation of APIs.
This blog post explores some of the critical new requirements introduced in PCI DSS 4.0.1 specifically aimed at safeguarding APIs, which have become integral to transactions across almost all industries and organizations.
The new mandates include:
The latest revisions to the PCI DSS 4.0 standard were released by the PCI Security Standards Council in June 2024 and are in response to business and technical transformations observed in recent years. These changes acknowledge the widespread adoption of APIs and evolution of the apps and infrastructure supporting a growing number of services and interactions powering today’s increasingly digital economy, including in-person, web, and mobile payment systems.
APIs represent a shift in the threat paradigm, with their own set of specific threats covered in the API OWASP TOP 10. They are susceptible to most of the same attacks and vulnerabilities as traditional web apps, but often expose business logic directly, making them an increasingly desirable target for attackers. And they demand a specific set of controls to protect data from unauthorized access, manipulation, or exposure to ensure privacy and maintain the trust of users and stakeholders, as well as to ensure the confidentiality, integrity, and availability of API communications.
A March 2025 deadline for organizations to comply underscores the urgency for businesses to align with these new specifications to safeguard APIs and their client-side scripts.
To meet PCI DSS 4.0 standards effectively and protect their entire threat surface, organizations should evaluate their existing security infrastructure, processes, and capabilities, and consider implementing solutions that deliver the following:
PCI DSS 4.0.1's focus on API security signifies a crucial step toward safeguarding digital transactions in today's complex and ever evolving IT environments.
As the deadline approaches, proactive measures to enhance API security will be pivotal in achieving and maintaining compliance. They also will improve the resiliency of your infrastructure against cyber threats and attacks targeting APIs and client-side scripts, strengthen protection of your customers payment card data and information, and deepen trust and credibility of your organization with customers and regulatory bodies.
You can prepare your organization for PCI DSS 4.0.1 compliance by assessing your current API security practices, identifying gaps, and implementing necessary improvements. Stay informed about additional resources and guidance provided by PCI Security Standards Council to ensure readiness by March 2025.
This doesn’t have to be a daunting task. F5 has the expertise and solutions to help organizations assess and implement controls that align to the new requirements and enhance your web app and API security posture.
Check out this demo of F5’s complete API security in action and reach out to us today to set up a meeting with one of our experts.