A merchant or service provider's PCI DSS scope reaches a moment of truth at the application edge. Internet-facing traffic terminates here. CDE access decisions are made here. Cardholder data flows in and out here. PCI DSS v4.0.1 made that edge denser: MFA into the CDE under Req 8.4.2 now applies to every account, not just administrators; Network Security Controls under Req 1 are described in terms broad enough to include application-aware proxies and software-defined isolation, not just stateful firewalls; new client-side controls under Req 6.4.3 and 11.6.1 protect against payment-page skimming; audit-grade observability under Req 10 must be continuous, not annual.
The classic responses are both expensive. The bolt-on kit: a WAAP module from one vendor, an access module from another, a multi-tenancy add-on, a sensitive-data masking module — each licensed separately, each with its own operator console, each integrated by your team. The cloud edge: move cardholder traffic to a third-party WAAP and put the path between the user and the CDE on someone else's platform — efficient until the auditor asks where the cardholder data is being inspected and your answer is "in someone else's cloud."
The third path is the one most operations teams actually want: one platform that covers the PCI controls that live at the application edge, on the network already inside the audit boundary. TR7 is built for that path. TLS, WAAP, MFA into the CDE, vTenant isolation, sensitive data masking and audit on the same TR7. The auditor asks for the artifacts; one operator console produces them.
Each control matters on its own. Taken together, they describe what PCI compliance looks like when the application edge runs on a single platform you already operate.
TLS termination on the TR7 edge with modern ciphers, current certificates, OCSP stapling, HSTS and the option to enforce mTLS where the use case allows it. Cardholder traffic on the wire meets Req 4.2.1 cryptography expectations before it reaches the back-end at all.
Inspect every request to a public-facing application before it reaches the CDE. TR7 WAAP combines a 10,000+ signature library with an 11-factor scoring engine and content-aware rules; CWE/CAPEC/MITRE mapping makes audit and incident artifacts traceable. Req 6.4.2 asks for a solution in front of public-facing applications — TR7 is that solution.
PCI DSS v4.0 extended MFA from administrators only to every account accessing the CDE. TR7 AAM enforces multi-factor authentication at the access edge with OIDC, SAML, TOTP, FIDO2 and step-up when context changes. The same control covers internal staff, contractors and service accounts reaching the CDE through TR7.
PCI DSS v4.0 reframed "firewall" as Network Security Controls, explicitly including application-aware proxies and software-defined isolation. TR7 delivers exactly that: vTenant for administrative and operational isolation between CDE and non-CDE workloads, QoS pools that give CDE traffic its own bandwidth envelope, and per-vService route tables that keep CDE-bound flows distinct. For PCI service providers, vTenant satisfies the Appendix A1 multi-tenant requirements without a separate appliance per merchant.
TR7 detects PAN, CVV and other sensitive patterns in API and HTML responses and masks them per policy before they leave the application edge. Req 3.4 calls for PAN to be unreadable wherever stored or displayed in unauthorized contexts — TR7 enforces that boundary on the egress path without changing application code.
Access events, traffic decisions, WAAP detections, MFA outcomes and SSH sessions to administrative targets all share one audit trail. SSH command-level capture is investigation-ready without a separate PAM product. SIEM export uses a consistent taxonomy across the platform — so the artifacts an assessor asks for come from one place.
Every capability below runs on the same TR7 platform that delivers and protects your modern services.
Current TLS versions, modern cipher suites, OCSP stapling, automatic certificate management. Optional mTLS where the use case allows. Supports Req 4.2.1 expectations on cardholder data in transit.
10,000+ signatures plus an 11-factor scoring engine. OWASP categories, framework-specific protections, CWE/CAPEC/MITRE mapping for audit and forensics. Inline blocking or detect-only modes.
Inject Content Security Policy, Subresource Integrity attributes, X-Frame-Options, HSTS and other security headers in the visual policy builder. Headers are configured at the edge, not in legacy application code that may never have set them.
Inspect outbound HTML and JSON for unauthorized script tags or unexpected payloads written by a compromised backend. Detects server-side compromise that produces skimmer-style output before it reaches the browser.
Multi-factor authentication for every account accessing the CDE through TR7. TOTP, FIDO2, push and SMS, with step-up by context — new device, new geo, sensitive resource.
AAM Per-Service Authentication mode wraps a legacy CDE application with OIDC or SAML SSO from your IdP. The legacy backend receives the credential artifact it expects; the user authenticates the modern way with MFA.
Multi-tenant isolation at the platform level. Tenants share TR7 but are administratively, operationally and observationally separated. CDE workloads can live in their own tenant — auditable boundary by design. Supports Appendix A1 obligations for service providers.
CDE traffic in its own bandwidth envelope; CDE-bound flows in dedicated route tables. Network security controls in PCI DSS v4.0 terminology are explicitly broader than stateful firewalls — application-aware proxies, ACLs and software-defined isolation count. TR7 covers this control surface at the application layer.
PAN truncation rules, CVV suppression, configurable pattern masking on outbound responses. Req 3.4 obligations on PAN display are met at the egress edge, without modifying application code.
One operator console, one audit trail across delivery, security, access and DDoS layers. SIEM export uses a consistent taxonomy. Supports Req 10 obligations on audit log content, retention and review.
SSH sessions reaching back-end CDE administration targets through TR7 are captured at the command level — every command, every response. Investigation-grade audit for the privileged access PCI DSS Req 8 and Req 10 most care about.
TLS, WAAP, MFA, vTenant, masking and audit run on the same engine. No separate access module, no separate masking module, no separate multi-tenancy SKU, no separate audit add-on — all included under the same bandwidth license.
TR7 runs on your hardware, in your data centre, under your network controls. Cardholder traffic and audit logs do not transit a third-party edge. The cryptographic boundary, the inspection boundary and the audit boundary are the same boundary.
TR7 covers a specific surface of PCI DSS — the application edge. The map below is honest about what that does and does not include.
vTenant, QoS pool separation and per-vService route tables provide NSC controls at the application layer. CDE and non-CDE workloads behind TR7 can be isolated administratively, operationally and at the bandwidth level. This is one component of an organisation's NSC posture; an L3/L4 stateful network firewall typically complements it at the network layer.
Sensitive data masking on responses enforces PAN unreadability on the egress path. Configurable patterns, truncation, suppression. Covered at the edge without changing application code.
TLS termination at the edge with current versions and modern ciphers. HSTS, OCSP stapling, certificate management. Optional mTLS. Internal back-end legs can also be TLS-protected from the TR7 edge.
TR7 WAAP combines signatures, an 11-factor scoring engine and content-aware rules. CWE/CAPEC/MITRE mapping makes detections audit-traceable. Inline blocking or detect-only operating modes.
TR7 contributes specific controls to these requirements — CSP and SRI header injection via content-aware rules, server-side response inspection for unauthorised script injection, and bot management signals on skimmer-like behaviour. For dedicated browser-side script behavioural monitoring of the kind these requirements specifically address, complementary tooling is typically used alongside. The honest scope is in the FAQ below.
AAM enforces per-application access policy at the CDE edge. Identity, device posture, geography, time-of-day and MFA strength feed each access decision. Lateral movement is bounded to what each application explicitly authorises.
MFA enforced at the access edge for every account reaching the CDE through TR7 — administrators, internal staff, contractors, service accounts. Step-up authentication when context changes. Native OIDC, SAML, TOTP, FIDO2.
Access events, WAAP detections, MFA outcomes and command-level SSH sessions in one audit trail. SIEM export with consistent taxonomy. Configurable retention. Supports the content, integrity and review obligations of Req 10.
vTenant provides administrative, operational and observability isolation between tenants on shared TR7 infrastructure. A PCI-scoped tenant runs alongside non-PCI tenants without commingled configuration, audit or traffic.
TR7 is the application-edge layer of a PCI programme. It does not replace anti-malware (Req 5), physical access controls (Req 9), network vulnerability scanning (Req 11.3), penetration testing (Req 11.4), file integrity monitoring (Req 11.5) or anti-skimming controls inside the cardholder's browser at the level dedicated client-side protection products provide. These are complementary controls in a complete PCI programme.
Public-facing channels where cardholder data flows. TR7 places TLS, WAAP, MFA and PAN masking on the edge in front of the CDE; vTenant separates production card workloads from non-CDE applications on the same platform.
Storefront, checkout APIs and back-office. WAAP in front of the public storefront; MFA on back-office access; PAN masking on order detail responses to staff; CSP and SRI headers injected at the edge to support payment-page integrity controls.
Multi-tenant merchant landscape. vTenant gives each merchant or merchant group its own isolated PCI scope on shared TR7 infrastructure — administratively, operationally and observationally separate. Appendix A1 obligations met without one appliance per merchant.
Tax, fines, fees, citizen-facing payment journeys. On-prem TLS, WAAP, MFA and audit keep cardholder data and audit trail inside national infrastructure and under domestic governance.
API-first products that move card and payment data. WAAP plus API schema enforcement at the edge; MFA at the access edge for the dashboard and developer consoles; PAN masking on log and dashboard responses; centralized audit across the API surface.
Provider portals that take card payments alongside PHI. TR7 covers the PCI controls at the application edge while running on the same platform that protects the broader application surface — one operator team, one audit trail.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Browser-only access to RDP, VNC, SSH, Kubernetes and legacy systems — with credential vault, recording, and watermark built in.
Three MFA methods, per-service policy, trusted-device shortcut — no third-party MFA cloud.
One flow engine decides every authentication outcome — who can reach what, after which factor, under which context.
Trust earned at login doesn't carry forever. Every session stays under evaluation, every step of the way.
Connect every identity source beyond SAML and OIDC to the same access and audit flow.
WAAP inspection, mTLS identity and data masking keep working even as traffic flows to backends over TLS.
Mask IP for log privacy, reconstruct the correct client IP across proxy chains.
Move beyond L3/L4 — carry HTTP context into your flow records.
Move TLS beyond file-based configuration — turn it into a per-service security profile, certificate lifecycle and post-quantum readiness layer.
Lift the client certificate out of connection control and turn it into an identity object that drives traffic decisions.
Every tenant in its own routing world — overlapping IPs, static + dynamic routing and gateway monitoring from one panel.
Combine signature, score and context in a single engine — manage known attacks with confidence.
Mask sensitive data at platform level before it reaches the user or the logs.
Send every platform event to your SIEM in the format it expects — JSON, CEF or plainText.
Per-domain DNSSEC with key custody on your own infrastructure — no third-party signing service.
One TR7. Many tenants. Resources, network and operations boundaries each kept separate.
Make every L7 request measurable, filterable and reportable.
Produce branded, scheduled and on-demand PDF/XLSX reports in a single reporting pipeline.
Apply 8 security headers at the ADC layer without touching application code.
Turn raw WAAP logs into readable evidence reports for auditors, management and customers.
Bring your PCI scope to a TR7 demo. We will walk through TLS at the edge, WAAP in front of the CDE, MFA for every account into the CDE, vTenant isolation, sensitive data masking and the audit trail — exactly the artifacts an assessor asks for.