Umbrellas Now Mandatory Even in Seattle

PCI DSS 4.0 WAF requirement bets that we're not as good at layering as we thought.

Like myself, people from Seattle don't use umbrellas. Only tourists and Californians who recently moved to Seattle use umbrellas.

We even have an entire annual music festival named after one. Still, no true Seattle-ite bothers.

Photo by Josh Hild on Unsplash

Look at these wet people in Seattle with no umbrellas!

I KNOW, right?

Why no umbrellas, Seattle??

Because most of us dress in layers. Rain shedding layers. We wear hats. We invest in GORE-TEX. In short, we're prepared for rain.

If you're from Arizona, you're probably not prepared for water that doesn't evaporate before it hits the ground.

As of Monday, March 31, 2025, umbrellas (web application firewalls) become mandatory for PCI DSS 4.0 compliance. Because doing it a day later it might have been seen as an April Fool's joke.

Fingers crossed, I'm still hoping it is.

Being in the hosting and information security business, you would think I'd be all about the WAF.

It's another layer of protection!

More security!

Defense-in-depth!

However, having lived in Seattle for 30+ years, I’ve usually seen a WAF (the aforementioned Web Application Firewall) as being about as necessary as an umbrella.

If one were to actually implement the rest of the 12 requirements of PCI DSS 4.0, you'd have some pretty good layering going on. You're protected pretty well.

But if you haven't done so much layering and you're wearing suede pants, flip flops and a top made with cotton candy, then yeah you're gonna want a really big umbrella.

Thinking in Bets: A New Perspective on WAFs

But maybe I'm wrong. Maybe my umbrella aversion has clouded my judgment on WAFs.

Annie Duke's "Thinking in Bets" framework offers a useful way to reassess my position. She argues that good decisions are about acknowledging uncertainty and thinking probabilistically (say that 3 times!) rather than in absolutes.

So let's place some bets on WAFs.

Photo by Michał Parzuchowski on Unsplash

Bet #1: WAFs Catch What Other Controls Miss

For years, I've relied on the layered approach: server hardening, proper coding practices, input validation, regular patching, and strong authentication. My mental model has been: do these right, and a WAF adds minimal value.

But what's the probability I'm wrong?

Last year, a client who did everything else right decided to turn off CAPTCHA because a VP said it was "hurting donations." Within 24 hours, they received hundreds of bogus transactions that cost them thousands in processing fees and countless hours of cleanup. A WAF wouldn't have replaced CAPTCHA, but it might have helped mitigate the donation form the fraudsters were hammering. This wasn't an isolated incident. Over the years, I’ve seen several clients who for one reason or another thought the CAPTCHA layer was not needed and turned it off only to learn the hard way.

What are the odds that even well-maintained applications have undetected vulnerabilities? Based on industry data, surprisingly high—perhaps 60-80%.

This bet is looking shakier than I thought.

Bet #2: WAFs Create More Problems Than They Solve

My second mental bet has been that WAFs create excessive false positives and operational headaches.

Even before the pandemic, this was frequently true. A client who decided to implement a WAF on their own suddenly found legitimate transactions failing. Their nonprofit lost an estimated $25,000 in donations during a critical fundraising week due to overzealous WAF rules.

I felt vindicated at the time.

But today? Modern cloud WAFs have dramatically improved. Cloudflare's false positive rate on their business tier is now under 0.01% for most clients.

The probability that a modern WAF will significantly disrupt operations appears much lower than I've been assuming—perhaps 10-20% without tuning, dropping to 1-5% with basic configuration.

This bet isn't holding up well either.

Photo by Josh Appel on Unsplash

Anecdotes from the Field: When WAFs Proved Their Worth

Since I'm being honest about reassessing my biases, let me share some stories that challenge my umbrella analogy:

The CAPTCHA Bypass Nightmare

A mid-sized retailer believed their CAPTCHA implementation was sufficient protection for their checkout page. They were processing about 500 transactions daily until suddenly they were hit with thousands of fraudulent attempts using stolen card numbers.

The attackers weren't using automation to fill out forms—they were directly manipulating API endpoints that bypassed the CAPTCHA entirely. After implementing a WAF with API protection, the attacks were blocked while legitimate transactions continued processing.

Granted, had they told us they were turning on the API for the application, this would have been a case where we could have offered some additional protection or at least monitoring.

Estimated savings: $15,000 in chargeback fees and countless hours of frustration and incident management.

The WordPress Zero-Day Lesson

About 10 years ago, a client ran a WordPress site with several plugins. A zero-day vulnerability was announced for one of their plugins on a Friday evening, with patches promised "early next week." Despite my warnings about keeping plugins updated, they had delayed several security patches.

They got hacked that same weekend. Their site was defaced and they spent weeks dealing with the aftermath.

My solution wasn't to implement a WAF. I fired them as a client and updated our policies: we don't host WordPress anymore. Problem solved—for me, at least.

This scorched-earth approach worked well for my business model, but it doesn't help organizations that need to use budget-friendly content management systems while maintaining security.

Years later, I've reluctantly acknowledged that for those who insist on using WordPress, a WAF is absolutely 1000% essential.

The WAF Landscape Has Changed

My Seattle umbrella analogy falls apart because it assumes WAFs haven't evolved. But modern WAFs are less like flimsy drug store umbrellas and more like sophisticated weather protection systems.

Today's WAFs offer:

• API security that protects against attacks that bypass traditional form controls

• Bot management that distinguishes between good and bad automated traffic

• Machine learning-based detection that identifies novel attack patterns

• Virtual patching that protects against known vulnerabilities before you can update your code

• CDN integration that improves performance while adding security

The bet on modern WAFs looks increasingly favorable, especially when we consider the full range of capabilities they now offer.

Photo by Stephane YAICH on Unsplash

Implementation Options Through a Betting Lens

If I accept that WAFs have value (and I'm starting to), the next question is how to bet on implementation. Let's look at the major options through Duke's framework of expected value:

Commercial Cloud WAF Services

Cloudflare Pro/Business ($20-200/month)

• Ease of implementation: Very high (DNS change only)

• Probability of meeting PCI requirements: >95%

• Probability of effective protection: 75-85%

• Expected operational impact: Very low

• Additional benefits: CDN, DDoS protection

Imperva Cloud WAF ($100-500/month)

• Ease of implementation: Medium (DNS change + configuration)

• Probability of meeting PCI requirements: >95%

• Probability of effective protection: 85-95%

• Expected operational impact: Low to moderate

• Additional benefits: Advanced bot protection, reputation-based security

Akamai Web Application Protector ($300+ /month)

• Ease of implementation: Medium

• Probability of meeting PCI requirements: >95%

• Probability of effective protection: 85-90%

• Expected operational impact: Low to moderate

• Additional benefits: Enterprise-grade security intelligence, global CDN

Barracuda WAF-as-a-Service ($100-400/month)

• Ease of implementation: Medium

• Probability of meeting PCI requirements: >95%

• Probability of effective protection: 80-90%

• Expected operational impact: Low

• Additional benefits: DDoS protection, specialized for Microsoft applications

AWS WAF ($5 base + usage)

• Ease of implementation: Moderate (requires AWS knowledge)

• Probability of meeting PCI requirements: >95%

• Probability of effective protection: 80-90% with managed rules

• Expected operational impact: Low to moderate

• Additional benefits: Tight integration with AWS services

Azure Front Door ($35 base + usage)

• Ease of implementation: Moderate (requires Azure knowledge)

• Probability of meeting PCI requirements: >95%

• Probability of effective protection: 80-90% with proper configuration

• Expected operational impact: Moderate

• Additional benefits: Global load balancing, CDN

Open Source Options (ModSecurity, Shadow Daemon, Naxsi)

• Ease of implementation: Low (requires significant expertise)

• Probability of meeting PCI requirements: >70% if properly configured

• Probability of effective protection: 50-95% (highly dependent on implementation)

• Expected operational impact: High initially, moderate ongoing

• Additional benefits: Full control, no vendor lock-in

The betting framework makes it clear that for most organizations, commercial cloud WAF services offer the best expected value—high protection probability, low operational impact, reasonable cost, and quick implementation.

Making Better WAF Decisions

Rather than seeing the PCI requirement as a binary choice (comply or don't), we can use Duke's betting framework to make better decisions about implementation:

1. Acknowledge uncertainty: No security control is perfect, and WAFs will miss some attacks while potentially flagging some legitimate traffic.

2. Think in bets: Different WAF implementations have different probabilities of success based on your specific environment and threat model.

3. Consider the full range of outcomes: What's the worst case? The best case? The most likely case?

4. De-bias your thinking: Be aware of how past experiences (like my umbrella aversion) might be coloring your view of WAFs.

5. Treat it as a series of bets, not just one: Implementation, configuration, and ongoing management are all separate decisions with their own probability profiles.

Photo by Edward Howell on Unsplash

Conclusion: Changing My Bet on Umbrellas

I've spent 30 years in Seattle without using an umbrella, and I've spent nearly as long being skeptical of WAFs. But good decision-makers update their beliefs when the evidence changes.

The modern WAF landscape, with cloud-based services offering high protection and low operational impact, has shifted the betting odds. For most organizations handling card data, implementing a WAF now offers positive expected value—even for those with good security hygiene.

Like a good poker player, I know when to fold a losing hand. My bet against WAFs was based on outdated information and personal bias. The PCI requirement feels annoying, but the underlying logic is sounder than I initially gave it credit for.

I'm changing my bet on WAFs. Sometimes mandatory umbrellas make sense after all—especially when the rain patterns are changing faster than our layering strategies can adapt.

Who knows, maybe I'll even start selling umbrellas.

---

About the Author: With over 30 years of experience in Seattle's rain and nearly as long in information security, I've learned that sometimes our strongest opinions deserve the most rigorous reassessment. My company, Concourse Hosting, provides security and hosting solutions for organizations of all sizes, with a focus on practical, effective controls that balance security and usability.