NGINX.COM

Achieving PCI DSS Compliance with NGINX App Protect

Digital transformation has changed the security landscape. Traditional digital security no longer exists as organizations transition from monolithic applications to cloud‑native microservices architectures to increase business agility. Because microservices communicate over the network, modern websites and web applications are more vulnerable to cyberattacks than monoliths and have become one of the easiest ways to compromise the networks of companies of all sizes. Organizations need to find the right balance between security and agility.

The credit card industry continues to be a frequent target for cyberattacks. This blog discusses the specific security and compliance challenges that enterprises face when they handle credit card transactions, and how technologies like a web application firewall (WAF), and NGINX App Protect in particular, help them meet regulatory requirements.

PCI DSS Compliance Is Critical to Today’s Modern Applications

The Payment Card Industry Data Security Standard (PCI DSS) describes the actions that all parties involved in processing credit card payments must take to protect cardholder data. The very first requirement is to “Install and maintain a firewall configuration to protect cardholder data”. Requirement 6.6 further states that owners of public‑facing web applications must protect them by “installing an automated technical solution that detects and prevents web‑based attacks (for example, a web application firewall)…”.

Unfortunately, installing a WAF is not a simple matter of “set it and forget it”. There is a wide variety of possible attacks and attackers are constantly coming up with new ones. That makes maintaining PCI DSS compliance one of the most significant challenges faced by modern applications.

Requirement 6.5 of the standard lists the vulnerabilities that a WAF must defend against “at a minimum”:

  • Injection flaws, particularly SQL injection, but also OS Command Injection, LDAP and XPath injection flaws, and others
  • Buffer overflows
  • Insecure cryptographic storage
  • Insecure communications
  • Improper error handling
  • Cross‑site scripting (XSS)
  • Cross‑site request forgery (CSRF)
  • Broken authentication and session management
  • Improper access control (such as insecure direct object references and failure to restrict URL access)

The PCI DSS list doesn’t even overlap completely with another commonly used list of vulnerabilities, the Open Web Application Security Project (OWASP) Top 10, which adds XML external entities, misconfiguration (such as using default configs), insecure deserialization, and insufficient logging and monitoring.

NGINX App Protect Meets and Exceeds PCI DSS Requirements

To comply with PCI DSS and protect your apps against the ever‑growing set of vulnerabilities, you need a modern WAF solution like NGINX App Protect. It protects against the listed PCI DSS vulnerabilities, the OWASP Top 10, and beyond.

NGINX App Protect is designed for modern infrastructure and can be installed anywhere. It slots directly into your CI/CD pipeline “as code”, and being closer to your applications than traditional WAFs enables you to rapidly update security policies. Because NGINX App Protect deploys on all platforms (public and private clouds, VMs, containers, and more) and use cases (including API gateway and Kubernetes Ingress controller), you get consistent performance and the same level of protection across your entire infrastructure.

NGINX App Protect covers more than 6,000 signatures that are updated at least every two months to cover the latest known attacks.

Also, beyond the signatures, NGINX App Protect:

  • Performs HTTP protocol and evasion technique checks on a per‑request basis to detect errors such as illegitimate metacharacters in the contents of the HTTP message, invalid length, and more. Such anomalies can indicate a possible attack that is unknown (zero‑day) and their presence reinforces other evidence that may exist in the traffic.
  • Processes JSON and XML content, and can check the payload for potentially malicious injections.
  • Provides a unique capability that prevents responses from exposing sensitive information by masking the data (also known as response scrubbing). We always recommend enabling response scrubbing when the application returns confidential data that must not be exposed.

Try NGINX App Protect for free for 30 days. You’ll see why the performance and functionality of F5’s marketing‑leading WAF combined with the lightweight and programmable nature of NGINX Plus are the perfect combo to solve your PCI DSS compliance challenges.

Hero image
Monolith to Microservices

Free ebook that goes deep on transitioning an existing monolithic architecture to microservices

Tags

No More Tags to display