Organizations in the fintech industry must adhere to the PCI DSS standard in order to keep their systems and customers’ data secure. The following provides key background information on PCI DSS compliance and more specifically how a web application firewall can help satisfy requirement 6: “develop and maintain secure systems and software”. You can use this guide to help achieve PCI compliance and assess your existing tooling and strategy.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created to help protect cardholder data, ensure credit card transactions are handled securely and to help reduce the risk of fraud or data breaches anywhere in the payment ecosystem. It is governed by the Payment Card Industry Security Standards Council (PCI SSC).
PCI compliance involves adhering to these standards set out by the PCI SSC.
What is PCI DSS v4.0.?
The latest update to existing PCI DSS requirements is PCI DSS v4.0.
The aim of this update to prior editions of PCI DSS was to:
Continue to meet the security needs of the payments industry (evolve with changing security threats).
Promote security as a continuous process.
Increase flexibility for organizations using different methods to achieve security objectives.
Enhance validation methods and procedures.
Read more about what you need to know about PCI DSS v4.0.
Who needs to worry about PCI compliance?
Any organization that handles credit card payments or payment information of any kind, no matter how small the business or number of transactions, must satisfy
PCI DSS compliance requirements. Compliance is mandatory in order for the major banks and credit card companies to agree to work with the organization.
Short answer: if an organization accepts or uses credit cards in any way, PCI compliance is a must.
What are the 12 PCI DSS requirements and how to prove you are compliant
1. Build and maintain a secure network
PCI standards require that you install and maintain a firewall configuration to protect cardholder data. Without a properly functioning firewall and properly configured routes, the first critical layers of an organization’s network defense can be compromised.
Compliance: In order to comply with this requirement an organization must demonstrate that they indeed have all of the above installed and functioning correctly. They must also show that they have the right testing and validation measures in place, used to ensure appropriate measures are in place and functioning as they should.
2. Apply secure configurations
An org must ensure they apply secure configurations to all system components. Orgs should never use vendor-supplied defaults for system passwords or any other security measures - instead implementing their own more robust parameters.
Compliance: Orgs must demonstrate that they are not operating with any vendor-supplied passwords or security measures. Scanning tools can help identify any missed ‘factory’ passwords.
3. Protect Stored Data
Organizations that collect and store any cardholder data must ensure that it is adequately protected. This means encrypting any stored cardholder data within existing systems.
Compliance: Many organizations can become automatically compliant with this requirement by opting to NOT store cardholder data at all. If an org does opt to store it, they must prove that they have data encryption practices and policies in place.
4. Use cryptography
Orgs must use strong cryptography when transmitting cardholder data over open or public networks. Any credit card information transmitted across a public network (e.g. web payments over the internet), must be encrypted. Encryption methods like TSL are often a first choice.
Compliance: Policy-driven testing solutions can help verify that an organization is 1) using encryption methods and 2) that they are working correctly.
5. Protect systems and networks from malicious software
Orgs must use antivirus programs across all internal systems, helping to block malware and viruses. Antivirus software should be updated and the latest available version, at all times.
Compliance: Proof of antivirus software use and inspection to verify use of the latest version will satisfy this requirement.
6. Develop and maintain secure systems and software
Implementation of a robust AppSec program, from tooling to procedures and resources can be helpful in getting the best and most accurate view into an org’s security stance. Use of a full suite of AppSec tools (think SAST, DAST, Pentesting) can help identify weaknesses or vulnerabilities in software, and ensure secure coding practices throughout the software development lifecycle.
Compliance: Use of software composition tools (SCA) can help produce a software bill of materials (SBOM) that provides a complete list of an organization’s software and known vulnerabilities. An SBOM can satisfy this regulation.
7. Restrict system component and cardholder data access
Access to sensitive cardholder data should be limited to a need-to-know basis. Access should be very limited and recorded (ie. an org knows who is seeing this data and when). Documentation of this access should be recorded and regularly reviewed to ensure the right people have access to cardholder data.
Compliance: Solutions can track and monitor access to applications and files, identifying unnecessary or suspicious access, while also demonstrating adequate restriction to only necessary data accessors.
8. Identification and authentication of users
Orgs should identify users and authenticate their access to system components - employees should be assigned a unique ID to help monitor and track access and activities.
Compliance: Reporting or solutions that provide recordings of user access across the org’s ecosystem. The ability to answer “who accessed this asset, and when?” satisfies this requirement.
9. Restrict physical access to data
Orgs should restrict physical access to cardholder date. This means devices, buildings, or any other tangible location data is stored.
Compliance: Evidence of physical security measures (cameras, secure rooms, IP cameras) satisfies this requirement.
10. Logging and monitoring of access
Orgs should log and monitor all access to system components and cardholder data. This logging should provide clear insight into normal (accepted) access, and flag any abnormal access to allow for quick investigation and remediation, as necessary. These logs are required in the event of a breach.
Compliance: Evidence of adequate logging and monitoring is required. This can be achieved with a security information and event management (SIEM) solution in place.
11. Regular security testing of networks and systems
Regular vulnerability scans to identify any weaknesses in an org’s environments should be a best practice. Cans should be a regular occurrence but are particularly important in the event of any organizational changes to the network, systems or applications.
Compliance: Evidence of continuous monitoring, pentesting, vulnerability scanning, or regular audits can help satisfy this requirement.
12. Organizational support of IT
Orgs must support IT efforts with procedural and policy-based efforts around security. All employees should undergo security training and security champions or dedicated security teams should help maintain security awareness. Clear policies around security, risks, and company data should be communicated regularly.
Compliance: Evidence of a clearly defined security policy, procedures, and dedicated security teams can help satisfy this requirement.
PCI DSS requirement 6 explained
The Secure Software Standard offers security requirements for software vendors and developers to ensure the secure design and management of payment software, and to protect the integrity of payment transactions and the confidentiality of all payment card data that is stored, processed, or transmitted in association with payment transactions. Secure software used as part of a payment transaction flow are essential to facilitate reliable and accurate payment transactions.
What capabilities should a WAF have to satisfy PCI DSS?/ what should you look for in a WAF for PCI compliance?
To satisfy PCI compliance requirements, your WAF must have the following capabilities:
Active prevention mode (Req 6.4.2): Must actively detect and block malicious traffic in real-time, not just monitor or alert.
OWASP top 10 defense (Req 6.2.4): Must have pre-configured rules to block core web threats like SQL injection (SQLi) and Cross-Site Scripting (XSS).
Client-side protection (Req 6.4.3): Must monitor and authorize all JavaScript running in the consumer's browser to prevent Magecart-style credit card skimming.
Automated rule updates (Req 6.4.2): Must receive automatic threat-intelligence updates to defend against zero-day exploits without manual intervention.
Detailed logging (Req 10): Must generate tamper-resistant logs of all blocked attacks and stream them to your SIEM/audit systems.
Top 5 PCI-Compliant WAFs
WAF Provider | Deployment Type | Target Audience | Key PCI Compliance and Security Features |
Cloud, Edge, Agent, or Container | Enterprise, Modern DevOps and DevSecOps Teams | Uses SmartParse technology (eliminating tedious regex tuning to run safely in block-mode) Meets PCI DSS v4.0 (Requirement 6.4.2) Offers Client-Side Protection to safeguard scripts from Magecart-style credit card skimming | |
Cloudflare WAF | Cloud-based SaaS | E-commerce and Fast-Growing SMBs | Filters traffic at the edge; includes built-in DDoS protection and automatic SSL/TLS encryption (PCI Requirement 4). |
AWS WAF | Cloud-Native | AWS-Hosted Architectures | Native integration with AWS load balancers; supports PCI DSS v4.0 with partner integrations for client-side script protection. |
Imperva Cloud WAF | Cloud, On-Prem, or Hybrid | Enterprise and Finance | Pairs with Database Activity Monitoring (DAM) to track traffic down to database levels; uses ML-driven dynamic profiling. |
Akamai App and API Protector | Global Edge Cloud | High-Traffic Global Enterprises | Consolidates WAF, API discovery, and bot mitigation; uses multi-dimensional adaptive threat scoring to protect cardholder APIs. |
How Fastly can help with PCI compliance
Procuring a WAF is the first step to accomplishing and the decision carries long-term impacts on Security teams. While legacy vendors detect and block via thousands of rules security teams must manage and tune, Fastly’s Next-Gen WAF takes an entirely different approach. Instead of blocking using tedious regular expressions like many legacy WAF vendors, Fastly’s Next-Gen WAF leverages SmartParse to offer Signals.
Signals provide clear guidance on what is an attack and integrate with our intuitive tooling to take action against them via alerts or blocking. Organizations leverage Signals with our threshold-based blocking methodology to limit the likelihood of blocking decisions impacting legitimate traffic. This departure from legacy methodologies enables organizations to move into blocking mode and gain confidence in their decisions before moving to instant blocking over time. Other WAFS make it difficult to validate blocking decisions leading to unintentional impacts on legitimate traffic, but the Next-Gen WAF offers insights and tools to easily protect your organization without impacting legitimate traffic.