Compliance

PCI DSS v4 WAF requirement (6.4.2): cost of compliance

PCI DSS v4 Requirement 6.4.2 mandates an automated technical solution (in practice, a WAF) to detect and prevent web-based attacks on public-facing web applications. The requirement became fully effective on 31 March 2025. For any merchant handling cardholder data via a public web app, the WAF is no longer optional.

Last verified June 2026

6.4.2

PCI DSS v4 requirement

31 Mar 2025

Effective date

Mandatory

Detect + block, not detect only

Quarterly

Tuning review cadence

What the requirement says

“For public-facing web applications, an automated technical solution that detects and prevents web-based attacks is deployed. Active threats are addressed in real time and configured to either generate alerts and block the attacks, or alert and immediately investigate.”

PCI DSS v4.0.1 Requirement 6.4.2 (paraphrased from the standard text; refer to PCI SSC for the exact wording)

What changed from v3.2.1

Under PCI DSS v3.2.1, Requirement 6.6 allowed either (a) a WAF or (b) regular code reviews. Under v4 Requirement 6.4.2, the code-review-only path is removed for public-facing web applications. A WAF (or equivalent automated technical solution) is mandatory, and must be configured to block - alert-only mode requires a documented investigation process, not a permanent state.

Minimum compliant WAF setups per vendor

AWS WAF: web-ACL with AWS Managed Rules Common Rule Set and SQL injection rule group, in blocking mode, with logging to S3 or CloudWatch. Cost: ~$5 web-ACL + per-request fee.
Cloudflare: at minimum Pro plan with managed WAF rules enabled in blocking mode. OWASP Core Rule Set is included on Pro and above. Cost: $20-25/mo.
Azure WAF: Front Door Premium with managed rules enabled in Prevention mode, or Application Gateway WAF v2 in Prevention mode. Cost: ~$25/mo minimum on Front Door.
Cloud Armor: Standard tier policy with the preconfigured WAF rules (OWASP-derived) enabled in deny mode. Cost: $5/policy + per-request.
Sucuri: Basic Firewall at $9.99/mo per site is compliant for small merchants. Pro for sites needing advanced DDoS mitigation.
Quote-only vendors (Imperva, Akamai, F5): all ship PCI-compliant configurations as standard. Validate the specific rule set with the vendor and the QSA.

Detect-only mode is not compliant

A WAF in alert-only mode satisfies Requirement 6.4.2 only if you have a documented process for immediate investigation of every alert, in real time. For most merchants this is operationally impossible. Block mode (with disciplined false-positive triage during onboarding) is the practical path.

What the QSA will ask

Your Qualified Security Assessor will want evidence that (a) the WAF covers every public-facing web application in scope, (b) it is in blocking mode or has a documented real-time investigation process for alerts, (c) the rule set covers OWASP Top 10 categories including injection and XSS, (d) tuning is reviewed at a defined cadence (typically quarterly), and (e) logs are retained for the PCI retention period. Every vendor on this site can produce compliant evidence; the question is operational discipline.

Cost framing

For a small merchant (PCI SAQ-A-EP, SAQ-D), a $20-30/mo published-rate WAF is sufficient and is the cheapest path to 6.4.2 compliance. For a mid-market or enterprise merchant, the WAF is already in place for other reasons and 6.4.2 adds zero incremental cost. The compliance trap is small merchants assuming they do not need a WAF; under v4 they do.