PCI DSS Requirement 6.6 - Code Review or Web Application Firewall (WAP)
Posted on Thursday, July 10, 2008 by Bryan Johnson
The deadline to comply with PCI DSS Requirement 6.6 was June 30th, 2008. Merchants have been given two options:
1. Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
2. Install an application-layer firewall in front of web-facing applications.
The driver behind this new requirement is that a large percentage of credit card breaches are due to SQL Injection, Cross Site Scripting (XSS) and Buffer Overflow attacks. The intent of this requirement is to eliminate those vulnerabilities which would contribute to a significant reduction in breaches. Here is the Information Supplement supplied by the PCI Security Standards Council.
Other related posts:
Comments
Robin Greenhagen said on Thursday, July 10, 2008:
This isn't just a merchant requirement. Service providers who have any payment applicaiton or web based tools that handle (transmit or store) PAN, PIN, etc... must also protect those applications if they are exposed to the Internet.
Have a payment gateway? You must comply.
Have a shopping cart SaaS? You must comply.
We have a white paper on the costs of code review vs WAF and it is quite a stark difference. The big advantage of WAF in our experience is that it provides PROTECTION from the day you flip the switch. Code review is only DETECTION of the issue, but you may not be able to fix those issues for weeks, months, etc... so you are still exposed.
We have been fully audited and certified by Visa for CISP/PCI-DSS for 5 years now, so we have looked at nearly every option under the sun for all of the PCI controls.
If you are interested in our doc on the comparison between WAF and code review, email me at robin@gsihosting.com and I will get you a copy.
Robin Greenhagen
CTO / Founder
GSI