Defense Against Bots Should Also Help Drive PCI-DSS Compliance

Edward O'Connell Miniatur
Edward O'Connell
Published September 18, 2023

Cybercrime has grown and will continue to do so due to readily available automation tools and stolen credentials making attacking applications for profit quite simple. This, in turn, has driven greater industry and government security standards to ensure compliance and trust. An example of such industry security standard is Payment Card Industry Data Security Standard (PCI-DSS), with the release of the v4 requirements. One of the goals of the release is to update the overall protection schema for client-side security.

PCI-DSS is a critical standard as it enables payment processors and service providers to trust and protect each other. To meet the growing needs of electronic transactions, various merchants and service providers have migrated their applications to cloud-based infrastructure to ensure scalable, low-latency operations. PCI-DSS compliance standards apply to all electronic transactions, regardless of what infrastructure merchants and service providers use to process payments. PCI-DSS covers network security, data encryption, and management but does not address protecting applications (and data) from automated attacks.

In order to protect cloud-based applications and data from automated (or manual) attacks, payment processors and merchants rely on third-party security service providers to deliver distributed protection for applications and data. PCI-DSS certification of a SaaS security vendor is critical for the payment issuers to maintain compliance and trust of other vendors that they are connected and transact business with. A Security-as-a-Service vendor without PCI-DSS compliance makes it much harder for payment issuers to maintain or prove compliance and continued trust with third-party organizations they are connected with for payment processing.

From the PCI-DSS glossary, a service provider is a business entity that is not a payment brand directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, intrusion detection systems, and other services as well as hosting providers and other entities.

F5 Distributed Cloud (XC) Bot Defense is a SaaS solution that protects applications from automated attacks and meets PCI-DSS compliance requirements as a service provider. F5 XC Bot Defense provides security for payment issuers and alike against automated attacks for a wide range of industries such as financial services, retail and eCommerce, healthcare, and governments across the globe.

A good example of how F5, as a service provider, is able to meet PCI-DSS compliance requirements is strict adherence (policy, operation, and documentation) to PCI requirements listed below:

1.3 Network access to and from the cardholder data environment (CDE) is restricted.

1.3.1 Inbound traffic to the CDE is restricted as follows:

  • To only traffic that is necessary.
  • All other traffic is specifically denied.

1.3.2 Outbound traffic from the CDE is restricted as follows:

  • To only traffic that is necessary.
  • All other traffic is specifically denied.

1.4.1 NSCs are implemented between trusted and untrusted networks.

1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:

  • Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
  • Stateful responses to communications initiated by system components in a trusted network.
  • All other traffic is denied.

1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.

As a PCI-DSS service provider, F5 must not only meet PCI-DSS requirements but build on them to readily secure distributed applications and data from automated attacks that can quickly scale up and/or mutate.

To find out more about how F5 Distributed Cloud Bot Defense can not only protect your applications and data from attack but also streamline your PCI-DSS compliance process, check out: