For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ahddom's avatar
ahddom
Icon for Nimbostratus rankNimbostratus
Jul 11, 2025

PCI Compliance and ASM

Hi,

 

We are building a system that is to be PCI complient.

The system will be hosted in segregated zone in the infrastructure... where we have:

  • Load balancer to receive the external traffic
  • Web server in the segregated zone (DMZ inside the segregated zone).
  • Application server in the internal zone of segregated zone.

In our Internet gateway and external DMZ, we have a F5/ASM that protects all exposed services (non-PCI for now). This protection includes SSL inspection and loggin to SIEM.

As part of the PCI requirements, we need to protect our exposed services through WAF.

In the same time we should not exposed CHD data to be plaintext... any solution from F5 ASM for this?

Or any other architecture recommendation?

 

 

application delivery
security

2 Replies

  • VGF5's avatar
    VGF5
    Icon for Cumulonimbus rankCumulonimbus
    Jul 11, 2025

    F5 WAF’s “Data Guard” prevents sensitive data (e.g., credit card numbers, SSNs) from logging or leaking in responses. It masks or blocks CHD in HTTP responses and logs, meeting PCI DSS requirements for plaintext CHD exposure. Use SSL bridging to prevent plaintext CHD exposure on the network.

    Reference:

    K34154012: Configuring Data Guard detection patterns (12.x - 17.x)

    K8363: Using the Mask Data setting to protect sensitive data returned by the BIG-IP ASM

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Jul 11, 2025

    I would also add use separate partition and route domains to fully isolate PCI traffic from the rest.

    Maybe a different SIEM too.