F5 Distributed Cloud Services are PCI-DSS Compliant as a Level 1 Service Provider
The Payment Card Industry Data Security Standard (PCI DSS) encourages and enhances payment card account data security and facilitates a broader adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing — including merchants, processors, acquirers, issuers, and other service providers.
Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing, and transmitting credit card data. In turn, PCI DSS compliance fosters trust among customers and stakeholders.
PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks. The below table lists the PCI DSS requirements at a high level, F5 qualifies as Level 1 Service Provider and while it does not process, store, or transmit CHD/SAD; it could impact the security of the cardholder data environment (CDE) of our customers.
|PCI DSS Security Standard - High Level Overview
|Build and Maintain a Secure Network and Systems
1. Install and Maintain Network Security Controls
2. Apply Secure Configurations to all System Components.
Protect Account Data
3. Protect Stored Account Data.
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
|Maintain a Vulnerability Management Program
5. Protect All Systems and Networks from Malicious Software.
6. Develop and Maintain Secure Systems and Software.
|Implement Strong Access Control Measures
7. Restrict Access to System Components and Cardholder Data by Business Need to Know.
8. Identify Users and Authenticate Access to System Components.
9. Restrict Physical Access to Cardholder Data.
|Regularly Monitor and Test Networks
10. Log and Monitor All Access to System Components and Cardholder Data.
11. Test Security of Systems and Networks Regularly.
|Maintain an Information Security Policy
12. Support Information Security with Organizational Policies and Programs.
Source: Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0
F5 Distributed Cloud Services are SOC2 Type II Compliant
A SOC 2 Type II report is a Service Organization Control (SOC) report that focuses on the American Institute of Certified Public Accountants (AICPA) trust principles. It generally examines a service provider’s internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. These reports can play an important role in providing oversight of an organization, vendor management programs, and regulatory oversight. A type 2 report covers both the suitability of an organization's controls and its operating effectiveness over a period of time.
At F5, the SOC 2 Type II report helps meet the needs of our customers who need detailed information and assurance about the controls at F5. It offers evidence to our customers that we are implementing the security controls that we say we do and that those controls are working as intended. Without eyes and ears across the cloud, it is difficult to assess how secure the information is in the hands of third-party vendors and a SOC 2 Type II report offers this peace of mind.
Of the five trust principles that an organization can choose to follow, SDC is certified for the security, availability, and confidentiality of the information processed by our systems.
Each trust principle lists control objectives which the organization decides how it wants to meet these control objectives. SOC 2 trust principles are modeled around:
Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy by legally enforcing rigorous technical, administrative, and physical security controls on healthcare businesses who electronically transmit sensitive health data and their business associates.
F5 Distributed Cloud Services’ SOC 2 Type II report includes attestation of compliance with HIPAA controls. For our services, we must comply with:
HIPAA only covers USA residents within the USA.
F5 Distributed Cloud Services are ISO 27001 Certified with an extension of ISO 27017 and ISO 27018
Global Support is ISO 27001 certified only
ISO 27001 is an international standard to manage information security. It is the world's best-known standard for information security management systems (ISMS). The ISO 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
Conformity with ISO 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the organization, and that this system respects all the best practices and principles enshrined in this International Standard.
ISO 27001 promotes a holistic approach to information security by vetting people, policies, and technology. An information security management system implemented according to this standard ensures risk management, cyber-resilience, and operational excellence.
ISO 27001 is the only auditable international standard that defines the requirements of an ISMS that must be met.
ISO 27001 is made up of –
93 Controls broken into 4 domains:
ISO 27017 is a Code of Practice for Information Security Controls based on ISO 27001 for Cloud Services and is an information security framework for organizations using cloud services. Cloud service providers need to comply with this standard because it keeps their cloud service customers (and others) safer by providing a consistent and comprehensive approach to information security.
ISO 27017 includes 37 controls based off the ISO 27002 guidelines.
ISO 27018 is Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting is PII Processors. This standard outlines best practices for public cloud service providers (CSPs) on how to better protect personally identifiable information (PII) that it processes.
ISO 27018 includes 16 Controls based off 27002 as well as 25 new privacy and security controls.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It applies to all organizations, regardless of their location, that process the personal information of European citizens. This includes companies established outside the EU that offer goods or services to EU data subjects or monitor their behavior within the EU.
The GDPR has several key provisions, including:
F5 Distributed Cloud Services’ SOC 2 Type II report has control mapping to the GDPR chapter/article.
Similar to Europe's General Data Protection Regulation (GDPR), though with several key differences, California's data privacy act is a governmental framework designed to help safeguard consumers' sensitive personal information. As the digital landscape has evolved over the past decade, the tech sector's notion of consumer rights have expanded - particularly when it comes to sensitive data. With a number of highly-public sensitive data breaches in recent years, personal information - from Social Security Numbers to payment card data - needs to be safeguarded more vigorously than ever before. California's data privacy act, known as CCPA, is an effort to do just that. It's a governmental framework designed to help make sure organizations are properly protecting their customers' sensitive personal data.
F5 has been adhering to strict standards for our users’ data even before CCPA went into effect. We minimize our collection of personal data and only use personal data for the purpose for which it was collected. We have committed that we would keep personal information private, so we have never sold or rented our users’ personal information to anyone. We give people the ability to access, correct, or delete their personal information; and consistent with our role as a data processor, give our customers control over the information captured by our products.