The Payment Card Industry Data Security Standard (PCI DSS) encourages and enhances payment card account data security and facilitates a broader adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing — including merchants, processors, acquirers, issuers, and other service providers.
Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing, and transmitting credit card data. In turn, PCI DSS compliance fosters trust among customers and stakeholders.
PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks. The below table lists the PCI DSS requirements at a high level, F5 qualifies as Level 1 Service Provider and while it does not process, store, or transmit CHD/SAD; it could impact the security of the cardholder data environment (CDE) of our customers.
Applicable Products: F5 Distributed Cloud, Bot Defense, and Silverline
For many services, F5 acts as a “processor” (not a controller) of the personal data required to provide a service. Details about the personal data that F5 processes are listed on the Privacy Statements for each service. Find all service-specific Privacy Statement links on the introduction of F5’s Privacy Notice at https://www.f5.com/company/policies/privacy-notice.
F5 and its services prioritize the protection of personal data and uphold the highest standards of data privacy. The technical and organizational controls that protect personal data collected by F5 are listed in the specific service contracts (for example, the Service-Specific Terms applicable to services provided under our End User Services Agreement) and in F5's SOC2 Type II report. F5 Global Support is ISO 27001 certified and F5 Distributed Cloud Services are ISO 27001 certified with an extension of ISO 27017 and ISO 27018. F5 is also PCI-DSS Compliant as a Level 1 Service Provider for the F5 Distributed Cloud Services. Additional security certifications apply to specific F5 services and F5 hardware. Find more detailed information about data security practices at https://www.f5.com/company/policies/privacy-notice.
