A baseline assumption of the modern economy is that buying things with a credit card is safe. This assumption is so ingrained that consumers rarely pause to think about it. This faith obscures the massive amounts of backend work that go into keeping consumer information safe. Launched in 2006, the Payment Card Industry Data Security Standard (PCI DSS) is an information security protocol designed to protect user data and remains a crucial component of any business. Any merchant that handles credit card transactions and cardholder data must play by its rules. 

Cybersecurity best practices adapt with the times, and the PCI DSS has evolved in tandem. In June 2024, the Payment Card Industry Security Standards Council, which administers the PCI DSS, announced the latest update, version 4.0.1, which finally went into effect in March 2025.  

Cyberattacks were a serious, if relatively small-scale, concern 19 years ago when the PCI DSS was launched. As of 2025, they are costing the world $10.5 trillion annually and occur with a frequency and ferocity that has astounded even veteran cybersecurity professionals. In line with this new reality — and with evolving security practices across industries — this iteration of the PCI DSS has an increased focus on continuous security: a kind of security that is more proactive and operates around the clock. 

With this new update, one robust security solution has become more crucial than ever: Web Application Firewalls (WAFs). 

PCI DSS 4.0.1: WAFs are now required 

To explain this change, it’s worth comparing PCI DSS 4.0.1 to its predecessor, PCI DSS 4.0. Before PCI DSS 4.0.1 took effect, parties that handled credit card information were allowed to review public-facing web applications via manual (or automated) application vulnerability security assessment tools and were required to do so only once every twelve months. The new rule is much more intensive, and it reads: 

“For public-facing web applications, [a solution] is deployed that continually detects and prevents web-based attacks…A web application firewall (WAF), which can be either on-premises or cloud-based, installed in front of public-facing web applications to check all traffic, is an example of [a solution] that detects and prevents web-based attacks….” 

There is no question that the earlier policy put less of a burden on organizations, which could simply “check the code” and avoid the installation of potentially costly new technology (as well as the need to train staff on how to use it). But it is, for better or worse, a necessary adjustment as cybercriminals are more tech-savvy than ever. WAFs are, in this context, a solution an organization can deploy to help mitigate risks. 

Why WAFs Matter 

You can think of WAFs like food seasoning: A necessary ingredient, but not the entire meal. They are a basic yet essential line of defense. At their root, they are a filtering mechanism. They monitor HTTP traffic between your web application and its end users (often the wider public internet) and turn away traffic that seems (or actually is) malicious. WAFs block bad traffic before it reaches your application servers. They are highly adjustable and can be tuned to meet the moment: during a distributed denial of service (DDoS) attack, for instance, their policies can be modified to implement rate limiting. 

DDoS represents just one of countless cyberattacks that WAFs can help prevent. Cross-site scripting, SQL injections, HTTP protocol attacks—WAFs have a long record of keeping organizations safe from these mainstays of the cybercriminal arsenal. Why this is of particular importance to applications that deal with financial information should be obvious: When sensitive consumer financial data is breached, organizations risk regulatory fines, reputational harm and much worse. 

WAFs have been a routine component of the cybersecurity arsenal since the late 1990s. However, significant innovation has been seen in the field. Merchants shouldn’t dread complicated integration processes—WAFs can be spun up with minimal complexity and, with modern tools, monitored effectively and transparently across sites, countries and continents. WAF configuration and tuning have never been simpler than they are right now, and that applies whether applications are on-premises, in a public cloud or dispersed across a mixture of environments. 

Understandably, some merchants are wary of the PCI DSS’s latest updates. Overhauling one’s established security protocol can be a daunting prospect. But we are, unfortunately, past the point of taking shortcuts. Today’s cybercriminals will exploit any weakness they can find. And as it happens, it’s not difficult to start using WAFs. There’s a reason they’ve been a key part of the cybersecurity arsenal for over thirty years: They work. And when it comes to helping keep consumer data safe, that level of time-tested reliability can’t be ignored. 

Implementing a properly configured WAF is no longer optional but mandatory, providing organizations with real-time protection against evolving web-based threats while ensuring regulatory compliance.