Back to blog

Follow and Subscribe

PCI DSS 4.0 Demystified

Lorraine Bellon

Senior Product Marketing Manager, Security

Industry insights Product Security

Is it just us, or did the first month of 2025 feel like a year?

It’s easy to get distracted by *gestures broadly at everything* – but there’s an important date coming up that you don’t want to miss if your business handles or processes cardholder data.

Here’s what you need to know about the upcoming PCI DSS 4.0 deadline on March 31, 2025.

What is PCI DSS 4.0?

If you’ve just joined us, pull up a chair.

The PCI Security Standards Council announced Version 4.0 of the Data Security Standard (DSS) on March 31, 2022.

In March 2024, we published a blog that outlined the new requirements in detail, including some with earlier deadlines. Some requirements are taking effect after March 31, 2025.

At a high level, PCI DSS 4.0 strengthens security measures around authentication, encryption, and monitoring for businesses that process payment cards. This includes things like:

  • Multi-factor authentication for employees who access card data

  • Stricter password requirements for systems

  • More security controls and alerting for security teams

  • More thorough risk assessments and management

All of these are typical security measures for any organization, so it’s easy to think of PCI DSS compliance as a box-checking exercise for the audit team. For many organizations, that’s where it begins and ends. But there’s more to it than that.

Stop scammers in their tracks

A big reason for the enhanced security measures in PCI DSS 4.0 is the increase in sophisticated cyber attacks designed to steal payment card data.

Payment card theft is not a new problem – you might carry your credit cards in an RFID-proof wallet, or choose a gas station that accepts mobile payments just in case a hidden magnetic card reader is attached to the pump, ready to steal your credit card information. But what about on your website? 

No one wants to visit a restaurant with a “C” rating from the health department. If your website leads to customers losing credit card details to a scammer, you risk losing their business for good.

But there is good news! You can take one major step toward achieving your compliance goals in minutes.

Live, WAF, Love

PCI DSS 4.0 requires organizations to procure and deploy a web application firewall (WAF) by the March 31, 2025 deadline. WAFs are a critical piece of any application security puzzle, but they can be a big source of friction for both security and engineering teams.

Many WAFs on the market today produce a high number of false positives and require long, tedious tuning periods to eliminate unnecessary alerts. Even worse, many are known to block legitimate traffic or break applications, creating user frustration and impacting the bottom line.

The Fastly Next-Gen WAF is an ideal solution to meet PCI DSS 4.0 requirement 6.4.2, which states:

For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks with at least the following:

  • It is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.

  • Actively running and up to date as applicable.

  • Generating audit logs.

  • Configured to either block web-based attacks or generate an alert that is immediately investigated.

Our Next-Gen WAF can help you meet these requirements and provides advanced web application and API protection (WAAP) for your applications, APIs, and microservices. But there are plenty of other reasons to love the Fastly Next-Gen WAF.

Our proprietary SmartParse technology replaces tedious regex-based tuning and enables highly accurate decisions, resulting in fewer false positives than other WAF solutions. That’s why more than 90% of our customers run the WAF in full-blocking mode, with the confidence that they will be protected against malicious actors without the danger of disrupting legitimate traffic.

Developers love it, too. The Fastly Next-Gen WAF flexibly deploys in any environment and can protect apps and APIs wherever they are – in containers, on-prem, in the cloud, or on the edge. While other WAFs can act as blockers for innovation, the Fastly Next-Gen WAF’s flexibility and accuracy ensure it can integrate seamlessly into any DevSecOps stack, making security simple for everyone.

Best of all, it deploys in as little as 10 minutes, with an average time to full blocking in 60 minutes. Given how soon the PCI DSS deadline is approaching, every minute counts.

Don’t let time run out

If you want to learn more about how Fastly can help with PCI compliance, read our whitepaper for a deeper dive.

Be sure to set a reminder for the March 31, 2025 deadline, and stay tuned for more from us on how to shore up your defenses against client-side attacks.

Fastly
© Fastly 2025