PCI DSS 4.0 Demystified

Lorraine Bellon

Senior Product Marketing Manager, Security

The upcoming PCI DSS 4.0 deadline on March 31, 2025 is fast approaching. With it, everything that was announced in version 4.0 in March 2022 is being set in stone. Here, we break down everything you need to know to be ready for this impending deadline .

What is PCI DSS 4.0?.

At a high level, PCI DSS 4.0 strengthens security measures around authentication, encryption, and monitoring for businesses that process payment cards. This includes things like:

  • Multi-factor authentication for employees who access card data

  • Stricter password requirements for systems

  • More security controls and alerting for security teams

  • More thorough risk assessments and management

All of these are typical security measures for any organization, so it’s easy to think of PCI DSS compliance as a box-checking exercise for the audit team. For many organizations, that’s where it begins and ends. But there’s more to it than that.

Why we need enhanced security in PCI DSS 4.0

A big reason for the enhanced security measures in PCI DSS 4.0 is the increase in sophisticated cyber attacks designed to steal payment card data.

Payment card theft is not a new problem – you might carry your credit cards in an RFID-proof wallet, or choose a gas station that accepts mobile payments just in case a hidden magnetic card reader is attached to the pump, ready to steal your credit card information. But what about on your website? 

No one wants to visit a restaurant with a “C” rating from the health department. If your website leads to customers losing credit card details to a scammer, you risk losing their business for good.

But there is good news! You can take one major step toward achieving your compliance goals in minutes.

Why organizations need a WAF

PCI DSS 4.0 requires organizations to procure and deploy a web application firewall (WAF) by the March 31, 2025 deadline. WAFs are a critical piece of any application security puzzle, but they can be a big source of friction for both security and engineering teams.

Many WAFs on the market today produce a high number of false positives and require long, tedious tuning periods to eliminate unnecessary alerts. Even worse, many are known to block legitimate traffic or break applications, creating user frustration and impacting the bottom line.

The Fastly Next-Gen WAF is an ideal solution to meet PCI DSS 4.0 requirement 6.4.2, which states:

For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks with at least the following:

  • It is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.

  • Actively running and up to date as applicable.

  • Generating audit logs.

  • Configured to either block web-based attacks or generate an alert that is immediately investigated.

Our Next-Gen WAF can help you meet these requirements and provides advanced web application and API protection (WAAP) for your applications, APIs, and microservices. But there are plenty of other reasons to love the Fastly Next-Gen WAF.

Our proprietary SmartParse technology replaces tedious regex-based tuning and enables highly accurate decisions, resulting in fewer false positives than other WAF solutions. That’s why more than 90% of our customers run the WAF in full-blocking mode, with the confidence that they will be protected against malicious actors without the danger of disrupting legitimate traffic.

Developers love it, too. The Fastly Next-Gen WAF flexibly deploys in any environment and can protect apps and APIs wherever they are – in containers, on-prem, in the cloud, or on the edge. While other WAFs can act as blockers for innovation, the Fastly Next-Gen WAF’s flexibility and accuracy ensure it can integrate seamlessly into any DevSecOps stack, making security simple for everyone.

Best of all, it deploys in as little as 10 minutes, with an average time to full blocking in 60 minutes. Given how soon the PCI DSS deadline is approaching, every minute counts.

How Fastly can help with PCI Compliance

Fastly’s next-gen WAF can help organizations adhere to the latest PCI data security standards, simplifying compliance without putting your security at risk.  

Be sure to set a reminder for the March 31, 2025 deadline, and stay tuned for more from us on how to shore up your defenses against client-side attacks.