Important changes have come to PCI DSS: the security standard that governs the handling of credit card information (the Payment Card Industry Data Security Standard). Since March 31, 2025, several of the standard’s requirements have been replaced with amended versions and many “best practice” requirements are now turned into full requirements of the standard. These changes are designed to make credit card handling more secure at a time when cyberattacks are increasingly common and more sophisticated.
Any organization that handles credit card information must confirm it meets all the new and amended requirements to remain compliant with PCI DSS after March 31.
Key Change: You Now Require A WAF
One of the key changes is in section 6.4: “Public-facing web applications are protected against attacks.” Specifically, requirement 6.4.2 replaces requirement 6.4.1, with the new requirement stating:
“For public-facing web applications, [a solution] is deployed that continually detects and prevents web-based attacks…A web application firewall (WAF), which can be either on-premises or cloud-based, installed in front of public-facing web applications to check all traffic, is an example of [a solution] that detects and prevents web-based attacks…”
This is a significant change to the requirement being replaced which, until March 31, offered an alternative to deploying a WAF:
“[Review] public-facing web applications via manual or automated application vulnerability security assessment tools or methods…At least once every 12 months…”
This alternative option may have been quicker, cheaper and easier for many organizations than purchasing, deploying and training staff to use an additional piece of security equipment. The new and amended requirement, however, completely retires the option to “check the code” and elevates the use of a WAF to a mandatory requirement.
The Progress Kemp LoadMaster solution has built-in WAF functionality available on-premises and in the cloud and is here to help fulfill this new requirement.
Refresher: What Is a WAF and Why Is It Important?
We’ve recently published several blog posts exploring WAFs and their importance in application security.
As a refresher, a web application firewall (WAF) is a crucial security layer in a modern, multi-layered defense strategy. It also helps:
- Provide an extra layer of defense for websites, web apps and APIs
- Inspect HTTP(S) web traffic and proactively block malicious-looking traffic
- Help prevent your web services from being low-hanging fruit for attackers
Any internet-facing or mission-critical web application should be afforded the protection that a WAF provides. This is critically important for applications that use financial or confidential information in any way, where security failures spell disastrous consequences (large fines, regulatory investigations and potential business failure.)
How Can the LoadMaster Solution Help?
The Progress Kemp LoadMaster solution can help, with its built-in WAF functionality based on industry-standard OWASP technologies. It improves web application protection from a wide range of attacks, including cross-site scripting (XSS), SQL injection and HTTP protocol attacks.
The LoadMaster solution is flexible, quick to deploy and easy to configure through its intuitive web user interface. The LoadMaster solution is available on all common hypervisors, can be found directly in the big public clouds, and is also available as a hardware appliance. Wherever your application infrastructure lives, it’s easy to add LoadMaster load balancers and start benefiting from the protection they provide.
LoadMaster load balancers are also fully featured and highly capable application delivery controllers (ADC). They make applications highly available, resilient and scalable, in addition to the security benefits outlined so far.
‘WAF on Easy Mode’: Enhanced WAF Via Integration with LoadMaster 360
To make WAF configuration even simpler, Progress LoadMaster 360 provides a modern SaaS offering with dashboards and metrics. This makes it easy to get at-a-glance statistics about how a LoadMaster WAF is performing. It also makes it easy to manage a fleet of LoadMaster load balancers across entire organizations spanning many distinct sites, countries and continents.
The enhanced WAF functionality includes industry-leading smart filters that parse thousands of lines of log output to highlight the most pressing log alerts that require the attention of a security operator. This massively streamlines WAF operation and, when combined with LoadMaster 360 false positive tuning tools, makes it faster than ever before to configure and tune a WAF for operation in front of any web service or application.
To find out more about LoadMaster 360 WAF-specific capabilities, refer to some of the recent blog posts we have published on this subject.
Conclusion
Many businesses may find the recent changes to PCI DSS challenging. The LoadMaster solution can help on this journey.
With LoadMaster load balancer’s flexibility and availability on a range of platforms, the solution can meet your business applications wherever they are in a consistent and repeatable way: whether on-premises, in a public cloud or across a mixture of environments.
We invite you to try a 30-day free trial of LoadMaster by visiting this page. Please feel free to talk to us today to discuss how Progress can help you fulfil your WAF and load balancing needs.
