Compliance at F5 Distributed Cloud Services
What is PCI-DSS compliance?
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to increase controls around cardholder data to reduce payment card fraud.
F5 Distributed Cloud Services PCI-DSS Certification
F5 Distributed Cloud Services has achieved Level 1 compliance, the highest and most stringent level, allowing us to process more than 6 million transactions annually. As part of PCI DSS certification process, F5 Distributed Cloud Services' entire global infrastructure has been audited including, Distributed Cloud, Distributed Cloud Mesh, Distributed Cloud App Stack, control plane, all our data centers, as well as our security policies and software development processes. However, the certification focused on Distributed Cloud Mesh service. F5 Distributed Cloud Services does not process nor store cardholder data in any manner since Distributed Cloud Mesh acts as a reverse proxy, load-balancer and app firewall between our customers’ origin servers (merchant or payment service provider) and their end consumers. F5 Distributed Cloud Services treats all communication from the end consumer, which could potentially include PAN (primary account number), security code, and expiration date to the origin server as customer’s sensitive data. The Level 1 certification validates that any action performed on customers’ data by F5 Distributed Cloud Services global infrastructure complies with PCI DSS requirements.
Benefit to our Customers
For e-commerce merchants, payment service providers, and more generally any customer that stores, transmits, or accepts cardholder data, F5 Distributed Cloud Services' Level 1 certification will greatly facilitate our customers’ own PCI DSS compliance.
Furthermore, by using F5 Distributed Cloud Web Application Firewall (WAF), it will help our customers meet their own PCI requirement 6.6.
Lastly by complying to the arduous requirements of PCI DSS, we are providing to all our customers an independent and industry-accepted security review of our processes, policies, infrastructure, and software development methodology. Read FAQ ›
What is GDPR compliance?
European Union (EU) General Data Protection Regulation (GDPR) defines privacy protections and obligations for companies that handle personal data originating in the EU. Any company that processes personal data originating in the EU (whether or not the data subject is a citizen or resident of the EU) or the data of an EU resident—whether the company has operations in the EU or not—is covered by the GDPR.
F5's commitment to GDPR compliance
At F5, our mission is to deliver “universal cloud access” to all users, and we believe the protection of our customers' and their end users' data is fundamental to this mission. We have adhered to stringent standards with respect to end users’ data even before Europe’s watershed General Data Protection Regulation (GDPR) went into effect in 2018, We minimize our collection of personal data and only use personal data for the purpose for which it was collected. We have committed that we would keep personal information private, so we have never sold or rented our users’ personal information to anyone.
We have always followed the guidelines outlined by GDPR
- Only collect the personal data needed to provide the service offered.
- Don’t sell personal information.
- Give people the ability to access, correct, or delete their personal information.
- Consistent with our role as a data processor, give our customers control over the information captured by our products such as web application firewall (WAF).
As data protection is an ever-evolving environment, we continue to monitor ongoing developments globally and will update this page as appropriate.If you have any further questions about how we process data on behalf of our customers in a GDPR compliant fashion please reach out to us at support@cloud.f5.com.
California Consumer Privacy Act (CCPA)
Similar to Europe's General Data Protection Regulation (GDPR), though with several key differences, California's data privacy act is a governmental framework designed to help safeguard consumers' sensitive personal information. As the digital landscape has evolved over the past decade, the tech sector's notion of consumer rights have expanded - particularly when it comes to sensitive data. With a number of highly-public sensitive data breaches in recent years, personal information - from Social Security Numbers to payment card data - needs to be safeguarded more vigorously than ever before. California's data privacy act, known as CCPA, is an effort to do just that. It's a governmental framework designed to help make sure organizations are properly protecting their customers' sensitive personal data.
F5's commitment to CCPA compliance
F5 has been adhering to strict standards for our users’ data even before CCPA went into effect. We minimize our collection of personal data and only use personal data for the purpose for which it was collected. We have committed that we would keep personal information private, so we have never sold or rented our users’ personal information to anyone. We give people the ability to access, correct, or delete their personal information; and consistent with our role as a data processor, give our customers control over the information captured by our products.
In addition, F5's patent pending Blindfold technology enables customers to use their secrets (credentials, passwords, certificates) on our platform without giving us access to the secret. We put on our Blindfolds when handling your secrets, so that your secrets remain a secret.
If you have any further questions about how we process data on behalf of our customers in a CCPA compliant fashion please reach out to us at support@cloud.f5.com.