Op-Ed: The new PCI DSS standard lands on 31 March – WAFs are now non-optional

After 31 March 2025, several of the standard’s requirements will be replaced with amended versions, and many “best practice” requirements will be turned into full requirements of the standard. These changes, which will be released under the v4.x version of the standard, are designed to make credit card handling more secure at a time when cyber attacks are increasingly common and more sophisticated.

Organisations that do not comply are at risk of facing substantial financial penalties, with fines ranging from US$5,000 to US$100,000 per month, depending on the severity and duration of the non-compliance.

PCI DSS 4.0 is an extensive standard, but there’s one change I want to shed light on – firstly, because it is a significant one, and secondly, because there’s a simple fix for it, and that is to implement a web application firewall (WAF).

Key change: ‘You now require a WAF’

VIEW ALL

The key change aforementioned is in section 6.4: “Public-facing web applications are protected against attacks”. Specifically, requirement 6.4.2 replaces requirement 6.4.1, with the new requirement stating:

“For public-facing web applications, [a solution] is deployed that continually detects and prevents web-based attacks … A web application firewall (WAF), which can be either on-premise or cloud-based, installed in front of public-facing web applications to check all traffic, is an example of [a solution] that detects and prevents web-based attacks …”

Up until now, the requirement from the current PCI DSS standard offered an alternative to deploying a WAF:

“[Review] public-facing web applications via manual or automated application vulnerability security assessment tools or methods … At least once every 12 months …”

This alternative option may have proven to be quicker, cheaper, and easier for many organisations. Rather than purchasing, deploying, and training staff on how to use a WAF, organisations could implement an additional piece of security equipment. However, the new and amended requirement completely retires the option to “check the code” and elevates the use of a WAF to a mandatory requirement.

The good news is that beyond simply ticking a compliance box, WAFs can greatly improve an organisation’s security posture and will be beneficial in the long run as more cyber threats emerge. They are a crucial security layer that should be part of any modern, multi-layered “defence in depth” strategy.

What’s WAF and why it’s important

A WAF is an indispensable asset for organisations, providing robust protection against a wide array of cyber threats. Serving as an additional layer of defence for websites, web applications, and APIs, it meticulously inspects HTTP(S) web traffic to proactively block malicious-looking activity, thereby preventing web services from becoming easy targets for attackers.

Any internet-facing or mission-critical web application needs WAF protection. This is critically important for applications that use financial or confidential information in any way, where security failures spell disastrous consequences, including large fines, regulatory investigations, and potential business failures. By adopting a WAF, users can take control of their application delivery and achieve an optimal application performance experience for end users.

What’s the best way to implement a WAF

Organisations can benefit from a fully featured, robust, and highly capable application delivery controller (ADC) with built-in WAF functionality. During the past decade, this has emerged as one of the most important technologies in solving the problem of performance and accessibility for Internet-based applications. Companies of all sizes can gain efficiencies and competitive advantages with the ease of deployment and configuration, along with the advanced management tools available.

Defined as the next generation of load balancers, an ADC is typically located between the firewall/router and the web server farm. Built to address the challenges associated with website infrastructure complexity, performance, scalability, and security, it helps sites direct user traffic to remove excess load from two or more servers. In addition to ensuring application resilience and stability, it also protects web applications from a wide range of attacks, including cross-site scripting (XSS), SQL injection, and HTTP protocol attacks.

The combination of ADCs and WAFs offers a comprehensive solution for optimising and securing application delivery and can be the most convenient way for organisations to meet the PCI DSS 4.0 requirements.

We know that the regulatory landscape around data security, particularly in the payments and card transactions space, is only going to tighten in the coming years. While PCI DSS 4.0 might be seen as an extra burden, it is actually an opportunity to ramp up an organisation’s defences and build resilience in an increasingly risky cyber world.