If you’ve ever swiped your card at a store or entered your payment details online, you expect that transaction to be safe.
Starting March 31, 2025, businesses in Australia that process credit or debit card payments will be required to strengthen their security systems. These changes come from the Payment Card Industry Data Security Standards (PCI DSS), a global set of guidelines designed to prevent fraud and protect sensitive financial data.
The latest version, PCI DSS v4.x, introduces stricter security measures. One major change? Businesses must now use a Web Application Firewall (WAF)—a technology designed to block cyber threats before they can access payment systems. Companies that don’t comply could face serious penalties, with fines ranging from $5,000 to $100,000 per month.
What’s changing?
One of the biggest updates is the mandatory use of a Web Application Firewall (WAF). If you’ve ever installed antivirus software on your computer or phone, you know it scans for potential threats. A WAF works similarly, but for websites and online payment systems. Before this update, businesses had another option: instead of using a WAF, they could conduct periodic security checks. That’s like only checking your home’s security system once a year instead of having an alarm that constantly monitors for break-ins. With cybercriminals becoming more advanced, that approach is no longer enough—hence, the requirement for continuous protection through a WAF.
These changes directly impact how safely your payment information is handled. Stronger security means your card details are less likely to be stolen or misused when you shop online or in stores. John Yang, a cybersecurity expert at Progress, explains: “PCI DSS is an extensive standard, but there’s one change that any organisation can start adopting today, and that’s implementing a Web Application Firewall (WAF). Up until now, the standard offered an alternative to deploying a WAF. But from March 31, 2025, as per the section 6.4 – and specifically requirement 6.4.2 – the use of a WAF will be a mandatory requirement.”
In simple terms, this means businesses can no longer take shortcuts when it comes to protecting customer transactions. But beyond just meeting compliance requirements, WAFs actually make businesses more secure. Yang highlights that as cyber threats become more sophisticated, this extra layer of defense will protect both companies and customers from fraud, identity theft, and financial losses. “The good news is that beyond simply ticking a compliance box, WAFs can greatly improve an organisation’s security.”
What does a WAF actually do?
Think of the internet like a crowded airport. A WAF acts as security screening, checking every visitor before letting them through. If someone suspicious tries to enter—like a hacker trying to steal credit card details—the WAF stops them at the door. A WAF helps block a variety of cyber threats. One major risk is cross-site scripting (XSS), where hackers inject malicious code into a website to steal login details or manipulate transactions. Then there’s the threat of denial-of-service (DoS) attacks, where hackers flood a website with traffic until it crashes, making it impossible for customers to make purchases.
Botnet attacks and web scraping are another concern—automated programs can steal or manipulate data, sometimes even using fake transactions to exploit security weaknesses. Lastly, data leaks and cookie tampering put sensitive user information at risk, potentially exposing credit card numbers or personal details.
Without a WAF, businesses are wide open to these types of attacks, which can result in stolen payment details, website crashes, or fraudulent transactions.
How will businesses adapt?
Some companies already have WAFs in place, but others—especially smaller businesses—may need to upgrade their security systems. Experts recommend starting with a risk assessment to determine how vulnerable a website or payment system is to cyber threats. From there, businesses must select a WAF that fits their needs; a small online store won’t require the same level of protection as a major bank. To ensure proper setup, the OWASP Core Ruleset is a valuable free resource that helps businesses configure WAFs effectively and strengthen their defenses against cyberattacks.
Yang advises businesses to act now, rather than waiting until the deadline approaches: “Businesses can start by assessing the specific security requirements of the web application for which the WAF will be handling access requests, and select a WAF that aligns with those needs. I also recommend looking at the OWASP Core Ruleset which is a very helpful resource to help effectively configure and manage WAFs.”
The push for stronger security is part of a larger global trend. Cyberattacks on financial systems are increasing, and regulators worldwide are tightening security requirements to keep up. For businesses, failing to comply means fines and potential reputational damage. For consumers, it means safer transactions and a reduced risk of fraud. So, what’s next? Over the coming months, businesses will be working to meet these requirements, making the shopping experience more secure than ever—both online and in-store.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
