F5 Distributed Cloud Services FAQ

F5 Distributed Cloud provides services - F5® Distributed Cloud Mesh (Mesh) to connect & secure and F5® Distributed Cloud App Stack (App Stack) to deploy & operate your apps across the edge, multi-cloud, and our global application delivery network. Using this SaaS platform, we remove the need for you to deploy and integrate many disparate networking and app services -- dramatically reducing cost and simplifying operations for NetOps and DevOps.

Mesh delivers networking and security services from our high-performance global network. Our SaaS platform can also deploy the same service in your cloud or edge location, giving you a globally distributed app gateway for app-to-app and internet traffic.

App Stack provides platform services for distributed infrastructure and apps across the edge, cloud, and our global network. App Stack automates deployment, security, and operations of multiple app clusters to deliver a logically centralized cloud for the customer.

We highly recommend that you sign up for an account to build or secure any app. Since there are multiple different solutions that can be built using our services, we also request that you look at different use-cases on the website. Each of these use-cases also comes with Quick Start documentation to ease your on-boarding process.

If you migrate from a plan, that date will be your recurring billing date. If you directly signed-up for a paid plan, your sign-up date will be the recurring billing date.

Organization Plans:

The billing date is the end of the month for organization plans. If you signed up for the organization plan anytime in the middle of the month, the first bill will be at the end of the month, prorated based on the date you signed up. Subsequent billing dates will be at the end of each month.

If you migrate from a plan, that date will be your recurring billing date. If you directly signed-up for a paid plan, your sign-up date will be the recurring billing date.

There are two major components of your bill, a fixed subscription fee charge and variable charges based service usage. There is one bill generated at the end of the billing cycle that includes both the fixed subscription fee charge and the variable charge. And there will be one transaction at the end of the billing cycle on your payment method.

Yes, you can view the cycle to date usage and costs incurred in the billing section of F5® Distributed Cloud Console. You can view usage details per hour in the “Usage Details” page in the billing section of Console. In addition, you can get a cycle to date summary of your bill in the “Usage Summary” page in the billing section of Console.

You are free to change the plan at any time of your subscription period and will be charged pro rata for the amount used based on the plan.

All transactions to your billing method on file will be billed in US Dollars. We do not offer local currency billing for non-organization plans.

If you are eligible for tax exemption, you can request “Tax Exempt Status” by submitting requisite documentation such as Tax Exempt Certificate on Console under Billing Settings section. Refer to the tax-exempt documentation here for more details.

At this time, we request you to please sign up for a new account under the Plan required. You can keep your existing account or delete it at your convenience.

We will be supporting the upgrade of an existing account soon.

F5 Distributed Cloud stores PII information within its cloud storage - name, email, user-id, billing address, phone number in its cloud. For every API call made by the customer, we encrypt and decrypt the calls and store a log for audit-ability -- this includes geo-IP location, device type, and device software used to make these API calls. In addition, the customer's credit card information is stored with PCI-compliant service from Stripe, Inc.

Our Privacy Policy can be found here. Also, see our California Privacy Policy and Do Not Sell My Information Policy.

Our terms of service can be found here.

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to increase controls around cardholder data to reduce payment card fraud.

PCI compliance means obeying a set of security standards for card data, and any company that processes card transactions has to be PCI-compliant. Transactions with credit cards, debit cards, and prepaid cards are all included within the scope of PCI compliance.

The standard applies to any organization that stores, transmits, or accepts cardholder data over the Internet, over the phone, in an app, or in person.

Cardholder data includes:

• Primary account number: The account number on the card, typically 16 digits long
• Full name: The name of the cardholder
• Expiration date: The month and year when the card expires
• Service code: The 3-digit or 4-digit code listed on the back of the card

PCI DSS stands for “Payment Card Industry Data Security Standard”. PCI DSS is a set of 12 overall information security standards, each with multiple sub-requirements, for keeping card data secure.

The standard is administered by the PCI SSC (Payment Card Industry Security Standards Council), which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. These five credit card companies collaborated to create PCI-DSS Version 1.0 in December 2004. As of 2019, the latest version, version 3.2.1, was released in May 2018. However, these standards will continue to be updated over time.

The PCI DSS specifies 12 requirements that are organized into 6 control objectives and contain more than 250 items to cover.

Figure: PCI DSS Requirements

Note: These are summarized versions of the actual standards. See the official PCI-DSS website for the full standard documentation

The standard applies to any organization that stores, transmits, or accepts cardholder data over the Internet, over the phone, in an app, or in person, even if a company uses a third party for processing card transactions or doesn't store card information.

For small- to medium-sized businesses, PCI compliance works on an honor system for the most part. Large enterprises need to be assessed by an auditor to confirm their PCI compliance.

PCI DSS divides companies (or “merchants,” as the standards call them) into 4 levels based on the number of card transactions processed each year. The levels are:

• Level 4: Fewer than 20,000 transactions per year
• Level 3: Between 20,000 and 1 million transactions per year
• Level 2: Between 1 and 6 million transactions per year
• Level 1: More than 6 million transactions per year

These definitions are mostly accurate, but every credit card company defines the levels slightly differently. It’s important for merchants to check with each card provider to see which level they are.

The way a merchant can get certified as PCI-compliant changes based on their level. Level 2-4 merchants have to fill out and submit a self-assessment questionnaire once a year. They also need to have an Authorized Scanning Vendor (ASV) scan their systems for vulnerabilities every quarter.

Level 1 merchants need a certified auditor, either a Qualified Security Assessor or an Internal Security Assessor, to audit their PCI compliance and submit a report. The auditing takes place either once a year or once a quarter (depending on the card company). Level 1 merchants need a quarterly vulnerability scan as well.

Finally, all merchants need to fill out and submit an Attestation of Compliance (AOC) form, which is basically a statement to the credit card company that the merchant is PCI-compliant.

F5 Distributed Cloud has been PCI Certified as Level 1. This is the highest and most stringent level, allowing us to process more than 6 million transactions annually. Level 1 assessment consists of an external and independent audit performed annually by a QSA (Qualified Security Assessor).

F5 Distributed Cloud Services platform includes network and application layer security, as well as distributed denial of service (DDoS) protection for online enterprises. In the PCI DSS certification process, the entire F5 Distributed Cloud global infrastructure has been audited (Console, Control Plane, and all data centers) as well as our security policies and software development processes.

The PCI DSS objective is to protect cardholder data, therefore F5 Distributed Cloud's certification focused on our Mesh service. F5 Distributed Cloud does not process nor store cardholder data in any manner since Mesh acts as a reverse proxy between customers’ origin servers (merchant or payment service provider) and end consumers. F5 Distributed Cloud treats all communication from the end consumer (which could potentially include PAN (primary account number), security code, and expiration date) to the origin server as opaque data; it does not know if the data includes cardholder data or not, and does not apply any special treatment for cardholder data vs. not. F5 Distributed Cloud's Level 1 certification ensures that any action performed on customer traffic by the global infrastructure complies with PCI DSS requirements.

For e-commerce merchants, payment service providers, and more generally any customer that stores, transmits, or accepts cardholder data, F5 Distributed Cloud's Level 1 certification will greatly facilitate our customers' own PCI DSS compliance.

Furthermore, using F5 Distributed Cloud's Mesh services that include a web application firewall (WAF), helps our customers meet their own PCI requirement 6.6.

F5 Distributed Cloud also enables merchants to use the latest versions of TLS encryption, another important part of PCI compliance.

F5 Distributed Cloud Services provide distributed cloud services enabling clients to deliver applications and services quickly and securely. By complying with the arduous requirements of PCI DSS, we are providing to all our customers an independent and industry-accepted security review of our processes, policies, infrastructure, and software development methodology.

For e-commerce merchants, payment service providers, and more generally any customer that stores, transmits, or accepts cardholder data, F5 Distributed Cloud's Level 1 certification will greatly facilitate our customers' own PCI DSS compliance.

Furthermore, using F5 Distributed Cloud's Mesh services that include a web application firewall (WAF) will help our customers meet their own PCI requirement 6.6.

F5 Distributed Cloud also enables merchants to use the latest versions of TLS encryption, another important part of PCI compliance.