top of page

Leveraging open-appsec / CloudGuard WAF for PCI DSS Requirement 6.4.1-2 Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions.

As the Payment Card Industry Data Security Standard (PCI DSS) evolves, it's crucial for organizations handling credit card transactions to stay updated with the latest requirements. With the impending release of version 4, one area of focus is Requirement 6.4, which emphasizes the protection of public-facing web applications against attacks. 

Public-facing web applications serve as prime targets for cyber attackers, and any vulnerabilities in these applications could lead to significant data breaches. To address this, in requirement 6.4.1 (that will be replaced by requirement 6.4.2) PCI DSS require among other options Installing an automated technical solution(s) that continually detects and prevents web-based attacks. 

Among the recommended solutions, Check Point’s open-appsec and CloudGuard WAF solutions, both a Web Application Firewall (WAF), stands out as a robust automated technical solution that can effectively detect and prevent web-based attacks. A properly configured WAF acts as a shield, filtering and blocking non-essential traffic at the application layer, thereby safeguarding against application-layer attacks on poorly coded or configured applications. 

Let's delve deeper into how open-appsec/CloudGuard WAF can assist in fulfilling Requirements 6.4.1 and 6.4.2: 

Requirement 6.4.2 (From Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0): 

“Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:  

– Installed in front of public-facing web applications to detect and prevent webbased attacks. – Actively running and up to date as applicable.  

– Generating audit logs.   

– Configured to either block web-based attacks or generate an alert that is immediately investigated.” 


Check Point’s open-appsec and CloudGuard WAF solutions answer all requirements:  

  1. Installed in front of public-facing web applications to detect and prevent web- based attacks: open-appsec and CloudGuard WAF can be installed in front of public-facing web applications and provides continuous monitoring and protection. It actively scans incoming traffic, identifying and blocking potential threats in real-time, based on configuration.

  1. Actively running and up- to date as applicable: Cyber threats are ever-evolving. Your WAF should be equipped to adapt to new threats and vulnerabilities as they emerge. open-appsec /Cloud Guard WAF security engine is based on machine learning and provides pre-emptive protection against zero days attacks, this security engine is not based on signatures that require  updates, you can read more here. Software updates are provided periodically with engine improvements and enhancements. In addition to the Contextual Machine-Learning based engine, open-appsec (Premium Edition) / CloudGuard WAF provide traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures), and those are provided with periodic updates and patches to ensure that your WAF remains effective against the latest attack vectors in this additional layer of security.


  1. Generating audit logs: To comply with PCI DSS, it's essential to maintain audit logs and validate the configuration of your WAF. This involves ensuring that the WAF is installed correctly, actively running, and up- to- date with the latest security definitions. open-appsec / CloudGuard WAF allows you to generate both administrative audit logs and security audit logs for traffic to your web-server, you could configure open-appsec/CloudGuard WAF to log all activity, including benign traffic, read more here


  1. Configured to either block web-based attacks or generate an alert that is immediately investigated: open-appsec / CloudGuard WAF can be configured both to block attacks as well as generate logs for each security event. When configured to “Detect” mode, only logs are generated and traffic is not blocked. You can read more about how to track the learning for the machine-learning based security engine and security and define protection modes here


In summary, leveraging open-appsec / CloudGuard WAF effectively can significantly contribute to meeting PCI DSS Requirement 6.4.1 and 6.4.2. By implementing a robust WAF solution, you not only enhance the security posture of your public-facing web applications but also demonstrate your commitment to safeguarding sensitive cardholder data. 

Stay proactive, stay compliant, and stay secure! 


open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.

To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.


Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page