The PCI-DSS 4.0 compliance deadline is approaching – and Vercara is here to help.  

In today’s digital world, protecting credit card and cardholder data is of utmost importance. The Payment Card Industry-Digital Security Standard (PCI-DSS) is a set of security standards established by major payment card brands to ensure the secure handling of cardholder data. 

To achieve compliance, businesses must adhere to twelve key requirements in six categories outlined by PCI-DSS. Each requirement is discussed in detail in the standard, highlighting the measures and controls necessary to safeguard sensitive cardholder data effectively. 

Build and maintain a secure network and systems. 

1. Install and maintain a firewall configuration to protect cardholder data.  
2. Do not use vendor-supplied defaults for system passwords and other security parameters. 

Protect cardholder data. 

3. Protect stored cardholder data.  
4. Encrypt transmission of cardholder data across open, public networks. 

Maintain a Vulnerability Management Program. 

5. Protect all systems against malware and regularly update antivirus software or programs.  
6. Develop and maintain secure systems and applications. 

Implement strong access control measures. 

7. Restrict access to system components and cardholder data by business need to know.  
8. Identify users and authenticate access to system components.  
9. Restrict physical access to cardholder data. 

Regularly monitor and test networks. 

10. Log and monitor all access to system components and cardholder data.  
11. Test the security of systems and networks regularly. 

Maintain an Information Security Policy. 

12. Support information security with organizational policies and programs.

Changes in PCI-DSS version 4.0. 

PCI-DSS is evolving to keep up with emerging threats and technologies and to gradually mature the security level of merchants and merchant providers.  

Version 4.0 was published in March of 2022 and became effective in March 2024. Some of the key changes in PCI-DSS Version 4.0Ul include: 

• Increased focus on security awareness and training: This version emphasizes the need for organizations to continuously train their employees in security best practices and procedures. 
• Introduction of a risk-based approach: Organizations will now be required to assess the risks associated with their cardholder data environment and implement controls accordingly.  
• Strengthened requirements for service providers: The version includes stricter requirements for third-party service providers to ensure the security of cardholder data. 
• Expanded requirements for secure coding practices: Version 4.0 will include additional controls and guidelines for secure coding practices, recognizing the importance of software security in protecting cardholder data. 

The increased role of web application firewalls (WAF) in PCI-DSS 4.0. 

One of the changes in PCI-DSS 4.0 is the increased reliance on web application firewalls (WAFs) as a security control for Internet-facing applications. WAFs are designed to protect websites and applications from vulnerabilities and attacks by filtering incoming traffic and blocking malicious requests.  

PCI-DSS section 6.4 includes specific requirements for organizations to implement WAFs, such as ensuring that they are configured properly and regularly updated with the latest vulnerability and attack rulesets. 

There are 2 subsections of section 6.4 that are directly relevant to WAF. 

Subsection 6.4.1 requires either application vulnerability assessment tools (in the first half) or the use of a WAF (in the second half) to block a specific list of vulnerabilities.  

The first half of subsection 6.4.1 is as follows: 

“For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:  

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:  

• At least once every 12 months and after significant changes. 

• By an entity that specializes in application security. 
• Including, at a minimum, all common software attacks in Requirement 6.2.4.  
• All vulnerabilities are ranked in accordance with requirement 6.3.1.  
• All vulnerabilities are corrected.  
• The application is re-evaluated after the corrections.”  

The second half of subsection 6.4.1 details the requirements for a WAF solution: 

“Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:  

• Installed in front of public-facing web applications to detect and prevent web-based attacks.  
• Actively running and up to date as applicable.  
• Generating audit logs.  
• Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

Subsection 6.4.2 requires detection, prevention (blocking), and logging of attacks against public-facing web applications: 

“For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:  

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. 
• Actively running and up to date as applicable. 
• Generating audit logs. 
• Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

Vercara UltraWAF: Your solution for PCI-DSS compliance. 

Vercara’s UltraWAF is a web application firewall solution specifically designed to help organizations meet their PCI-DSS compliance mandates. UltraWAF provides protection against web application vulnerabilities listed in the Common Vulnerabilities and Exposures (CVE) database, including the following: 

• SQL injection (SQLi). 
• Command injection. 
• Other injection vulnerabilities. 
• Cross-site scripting (XSS). 
• Cross-site request forgery (CSRF). 
• Buffer overflow. 
• Cookie tampering. 
• HTTP protocol vulnerabilities. 
• TLS vulnerabilities. 

UltraWAF also includes Bot Management features to identify and block automated attacks such as vulnerability scanners and web content scrapers through a combination of features: 

• HTTP rate controls. 
• Bot signatures. 
• IP blocking. 
• Geoblocking. 
• Bot traps. 
• Device fingerprinting. 

UltraWAF also supports several key features: 

• Learning mode. 
• Real-time reporting and monitoring. 
• Custom signatures. 
• Positive and Negative security models. 
• TLS/SSL encryption. 
• Integrated DDoS protection. 

How UltraWAF meets the WAF requirements of PCI-DSS 4.0. 

Both subsections 6.4.1 and 6.4.2 have explicit requirements for WAF implementation, which UltraWAF meets on every level: 

“Installed in front of public-facing web applications to detect and prevent web-based attacks.” 

As a cloud WAF, UltraWAF is deployed in front of web-facing applications as a reverse web proxy. Onboarding is as simple as telling UltraWAF where your application server is, uploading a TLS certificate, initializing a basic WAF configuration, testing, and changing DNS records. 

“Actively running and up to date as applicable.” 

UltraWAF operates as an always-inline, always-on web protection solution. 

“Generating audit logs.” 

UltraWAF generates audit logs. These are viewable inside the UltraWAF portal or exportable via API (Application Programming Interface). 

“Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

UltraWAF is best configured to block attacks. 

As a service platform that transports credit card transactions and data, UltraWAF is a PCI-DSS-compliant platform and has an Attestation of Compliance (AOC). 

Solutions complementary to PCI-DSS and UltraWAF. 

Other Vercara solutions can work in conjunction with UltraWAF to help businesses protect their online presence, branding, users, and revenue streams, including: 

Authoritative DNS: Vercara UltraDNS is a bulletproof, managed, authoritative DNS service for accurate, safe, and reliable connections. 

DDoS Mitigation: UltraDDos Protect is a turnkey, best-in-class DDoS protection for your applications to counter attacks of any size, length, or complexity. 

Protective DNS: UltraDDR is a cloud-based DNS-layer cyber threat detection and response service that identifies and mitigates attacks, such as malware and ransomware, before they proliferate, independent of protocol, for devices inside and outside your network. 

A security bundle designed to meet all your PCI DSS needs. 

To help businesses of any size protect their online brand and revenue streams, Vercara offers a customizable product bundle, UltraSecure, to address the needs of small and mid-size companies. We also provide a more robust offering, UltraPlatform, for enterprise brands. Vercara’s enterprise-grade products are bundled together at the right scope and price to help you meet your protection requirements such as in PCI-DSS Version 4.0 and other standards and frameworks. 

Don’t get caught out of compliance. 

Achieving and maintaining PCI-DSS 4.0 compliance is vital for businesses that handle cardholder data. By following the 12 major requirements, staying updated with the changes in Version 4.0, and leveraging the power of Vercara UltraWAF, organizations can ensure the protection of sensitive data and mitigate the risks associated with data breaches. 

With Vercara UltraWAF, businesses can confidently navigate the complex landscape of PCI-DSS compliance and focus on delivering exceptional services while keeping their customers’ cardholder data secure. To learn more about UltraWAF and how it can block attacks and help your organization remain compliant, visit our product page.