F5 Distributed Cloud Services FAQ

F5 Distributed Cloud provides services - F5® Distributed Cloud Mesh (Mesh) to connect & secure and F5® Distributed Cloud App Stack (App Stack) to deploy & operate your apps across the edge, multi-cloud, and our global application delivery network. Using this SaaS platform, we remove the need for you to deploy and integrate many disparate networking and app services -- dramatically reducing cost and simplifying operations for NetOps and DevOps.

Mesh delivers networking and security services from our high-performance global network. Our SaaS platform can also deploy the same service in your cloud or edge location, giving you a globally distributed app gateway for app-to-app and internet traffic.

App Stack provides platform services for distributed infrastructure and apps across the edge, cloud, and our global network. App Stack automates deployment, security, and operations of multiple app clusters to deliver a logically centralized cloud for the customer.

We highly recommend that you sign up for an account to build or secure any app. Find ways to purchase here Purchasing and Billing. Since there are multiple different solutions that can be built using our services, we also request that you look at different use-cases on the website. Each of these use-cases also comes with Quick Start documentation to ease your on-boarding process.

F5 Distributed Cloud stores PII information within its cloud storage such as name, email, user-id, billing address and phone number. For every API call made by the customer, we encrypt and decrypt the calls and store a log for audit-ability, this includes geo-IP location, device type, and device software used to make these API calls.

Our Privacy Policy can be found here. Also, see our California Privacy Policy and Do Not Sell My Information Policy.

Our terms of service can be found here.

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to increase controls around cardholder data to reduce payment card fraud.

PCI compliance means obeying a set of security standards for card data, and any company that processes card transactions has to be PCI-compliant. Transactions with credit cards, debit cards, and prepaid cards are all included within the scope of PCI compliance.

The standard applies to any organization that stores, transmits, or accepts cardholder data over the Internet, over the phone, in an app, or in person.

Cardholder data includes:

• Primary account number: The account number on the card, typically 16 digits long
• Full name: The name of the cardholder
• Expiration date: The month and year when the card expires
• Service code: The 3-digit or 4-digit code listed on the back of the card

PCI DSS stands for “Payment Card Industry Data Security Standard”. PCI DSS is a set of 12 overall information security standards, each with multiple sub-requirements, for keeping card data secure.

The standard is administered by the PCI SSC (Payment Card Industry Security Standards Council), which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. These five credit card companies collaborated to create PCI-DSS Version 1.0 in December 2004. As of 2019, the latest version, version 3.2.1, was released in May 2018. However, these standards will continue to be updated over time.

The PCI DSS specifies 12 requirements that are organized into 6 control objectives and contain more than 250 items to cover.

Figure: PCI DSS Requirements

Note: These are summarized versions of the actual standards. See the official PCI-DSS website for the full standard documentation

The standard applies to any organization that stores, transmits, or accepts cardholder data over the Internet, over the phone, in an app, or in person, even if a company uses a third party for processing card transactions or doesn't store card information.

For small- to medium-sized businesses, PCI compliance works on an honor system for the most part. Large enterprises need to be assessed by an auditor to confirm their PCI compliance.

PCI DSS divides companies (or “merchants,” as the standards call them) into 4 levels based on the number of card transactions processed each year. The levels are:

• Level 4: Fewer than 20,000 transactions per year
• Level 3: Between 20,000 and 1 million transactions per year
• Level 2: Between 1 and 6 million transactions per year
• Level 1: More than 6 million transactions per year

These definitions are mostly accurate, but every credit card company defines the levels slightly differently. It’s important for merchants to check with each card provider to see which level they are.

The way a merchant can get certified as PCI-compliant changes based on their level. Level 2-4 merchants have to fill out and submit a self-assessment questionnaire once a year. They also need to have an Authorized Scanning Vendor (ASV) scan their systems for vulnerabilities every quarter.

Level 1 merchants need a certified auditor, either a Qualified Security Assessor or an Internal Security Assessor, to audit their PCI compliance and submit a report. The auditing takes place either once a year or once a quarter (depending on the card company). Level 1 merchants need a quarterly vulnerability scan as well.

Finally, all merchants need to fill out and submit an Attestation of Compliance (AOC) form, which is basically a statement to the credit card company that the merchant is PCI-compliant.

F5 Distributed Cloud has been PCI Certified as Level 1. This is the highest and most stringent level, allowing us to process more than 6 million transactions annually. Level 1 assessment consists of an external and independent audit performed annually by a QSA (Qualified Security Assessor).

F5 Distributed Cloud Services platform includes network and application layer security, as well as Distributed Denial of Service (DDoS) protection for online enterprises. In the PCI DSS certification process, the entire F5 Distributed Cloud global infrastructure has been audited (Console, Control Plane, and all data centers) as well as our security policies and software development processes.

The PCI DSS objective is to protect cardholder data, therefore F5 Distributed Cloud's certification focused on our Mesh service. F5 Distributed Cloud does not process nor store cardholder data in any manner since Mesh acts as a reverse proxy between customer's origin servers (merchant or payment service provider) and end consumers. F5 Distributed Cloud treats all communication from the end consumer (which could potentially include PAN (primary account number), security code, and expiration date) to the origin server as opaque data; it does not know if the data includes cardholder data or not, and does not apply any special treatment for cardholder data vs. not. F5 Distributed Cloud's Level 1 certification ensures that any action performed on customer traffic by the global infrastructure complies with PCI DSS requirements.

For e-commerce merchants, payment service providers, and more generally any customer that stores, transmits, or accepts cardholder data, F5 Distributed Cloud's Level 1 certification will greatly facilitate our customer's own PCI DSS compliance.

Furthermore, using F5 Distributed Cloud's Mesh services that include a Web Application Firewall (WAF), helps our customers meet their own PCI requirement 6.6.

F5 Distributed Cloud also enables merchants to use the latest versions of TLS encryption, another important part of PCI compliance.

F5 Distributed Cloud Services provide distributed cloud services enabling clients to deliver applications and services quickly and securely. By complying with the arduous requirements of PCI DSS, we are providing to all our customers an independent and industry-accepted security review of our processes, policies, infrastructure, and software development methodology.

For e-commerce merchants, payment service providers, and more generally any customer that stores, transmits, or accepts cardholder data, F5 Distributed Cloud's Level 1 certification will greatly facilitate our customer's own PCI DSS compliance.

Furthermore, using F5 Distributed Cloud's Mesh services that include a Web Application Firewall (WAF) will help our customers meet their own PCI requirement 6.6.

F5 Distributed Cloud also enables merchants to use the latest versions of TLS encryption, another important part of PCI compliance.