The latestPCI DSS (Payment Card Industry Data Security Standard) 4.0.1 update is significant, placing a greater emphasis on software supply chains including APIs and client-side scripts.
With the retirement of PCI DSS 3.2.1, organizations processing payments must adapt to the evolving landscape of modern, microservices-based applications, multicloud environments, and the increased implementation of APIs.
This blog post explores some of the critical new requirements introduced in PCI DSS 4.0.1 specifically aimed at safeguarding APIs, which have become integral to transactions across almost all industries and organizations.
The new mandates include:
- Pre-deployment testing 6.2.3: This emphasizes the rigorous review, testing, and secure development practices for bespoke and custom software, including APIs prior to release, to identify and correct code vulnerabilities.
- Protection against common threats 6.2.4: Organizations must implement controls to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software. The focus includes abuse of business logic, injection attacks (e.g., SQL, LDAP, XPATH, or other command, parameter, object, fault, etc.), and attacks on access control and data. All are critical in the protection of APIs.
- Inventory and insight into bespoke software 6.3.2: Businesses also must maintain the visibility and inventory of bespoke and custom software, including APIs and third-party components to facilitate vulnerability management and patching—ensuring a comprehensive security posture.
- Production visibility, threat detection, and testing 6.4.1 and 6.4.2: This update highlights the need for regular testing and continuous monitoring and protection of public-facing web applications and APIs against vulnerabilities, known attacks, and emerging threats. Among these requirements:
- Regular (at least annual) scanning and testing of public-facing web apps and APIs
- A technical solution, deployed in front of public-facing web apps and APIs, to detect and prevent web and API based attacks
Organizations face a March 2025 deadline to comply
The latest revisions to the PCI DSS 4.0 standard were released by the PCI Security Standards Council in June 2024 and are in response to business and technical transformations observed in recent years. These changes acknowledge the widespread adoption of APIs and evolution of the apps and infrastructure supporting a growing number of services and interactions powering today’s increasingly digital economy, including in-person, web, and mobile payment systems.
“PCI DSS 4.0.1's focus on API security signifies a critical step toward safeguarding digital transactions in today's complex and ever evolving IT environments.”
APIs represent a shift in the threat paradigm, with their own set of specific threats covered in the API OWASP TOP 10. They are susceptible to most of the same attacks and vulnerabilities as traditional web apps, but often expose business logic directly, making them an increasingly desirable target for attackers. And they demand a specific set of controls to protect data from unauthorized access, manipulation, or exposure to ensure privacy and maintain the trust of users and stakeholders, as well as to ensure the confidentiality, integrity, and availability of API communications.
A March 2025 deadline for organizations to comply underscores the urgency for businesses to align with these new specifications to safeguard APIs and their client-side scripts.
Some strategies for ensuring compliance
To meet PCI DSS 4.0 standards effectively and protect their entire threat surface, organizations should evaluate their existing security infrastructure, processes, and capabilities, and consider implementing solutions that deliver the following:
- Comprehensive API discovery: This begins with integration with code repositories to build complete and accurate inventories and documentation directly from the source(s). But it also includes traffic-based analysis and domain crawling to identify shadow, zombie, unmanaged, and third-party APIs.
- Robust API testing: Such testing provides preproduction analysis of API code paired with dynamic testing of public-facing apps and APIs, delivering continuous identification of vulnerabilities with context and remediation guidance.
- Runtime protection: It necessitates in-line enforcement and control mechanisms to block, limit, and enforce proper API behavior. This does include WAF and other API-specific functionality to implement API protection rules, rate limiting, data masking, and schema enforcement capabilities to deliver a positive security model.
- Continuous monitoring and anomaly detection: Includes AI/ML based behavioral analysis and continuous traffic inspection of APIs to identify potential attacks, sensitive data exposure, and other abnormal API behavior that may indicate abuse or compromise of an API endpoint.
The update is substantial, but compliance doesn’t have to be daunting
PCI DSS 4.0.1's focus on API security signifies a crucial step toward safeguarding digital transactions in today's complex and ever evolving IT environments.
As the deadline approaches, proactive measures to enhance API security will be pivotal in achieving and maintaining compliance. They also will improve the resiliency of your infrastructure against cyber threats and attacks targeting APIs and client-side scripts, strengthen protection of your customers payment card data and information, and deepen trust and credibility of your organization with customers and regulatory bodies.
“The deadline of March 2025 underscores the urgency for organizations to align with these new specifications to safeguard APIs and their client-side scripts.”
You can prepare your organization for PCI DSS 4.0.1 compliance by assessing your current API security practices, identifying gaps, and implementing necessary improvements. Stay informed about additional resources and guidance provided by PCI Security Standards Council to ensure readiness by March 2025.
This doesn’t have to be a daunting task. F5 has the expertise and solutions to help organizations assess and implement controls that align to the new requirements and enhance your web app and API security posture.
Check out this demo of F5’s complete API security in action and reach out to us today to set up a meeting with one of our experts.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...