Secure Payments, PCI DSS, Regulatory Compliance Blog

Requirement 6.6 - Web Application Firewalls

January 24th, 2008 by admin Posted in PCI DSS, Web Applications

firewall.jpgAs we enter 2008 and June 30th approaches we come closer to the day when PCI DSS requirement 6.6 will change from recommendation to a requirement.  The addition of this requirement has sparked serious conversation about the wording nuances, alternatives and definitions.

I’m happy to see these conversations happening as people explore options and alternatives to securing cardholder data.  But we should remember the intent behind this requirement, “either option you chose for 6.6 has to result in prevention of attacks.”  The goal is always to protect cardholder data, so regardless of the method you deploy make sure that it accomplishes this.

Remember that application firewalls are required for Internet facing web applications to prevent against things such as SQL injection (SQLi) and cross-site scripting (XSS).  The industry sees these as high-risk methods of web application compromise and thus must be prevented.  If you have another method of preventing data compromises then suggest it and leverage a compensating control.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 3 Responses to “Requirement 6.6 - Web Application Firewalls”

  2. By Tom on Apr 9, 2008

    Getting ready for the PCI 6.6 Compliance can be easier if you choose to install a web application firewall rather then code review your application every year as defined by PCI segment 6.6
    The dotDefender - Web Application Firewall can offer the easy compliance solution.
    You can have the dotDefender for 30 days trial and get ready for June 30.
    There are other products in the market that offer hardware appliance - this solution is much more expensive for a smaller business.

    Tom

  3. By Ann Goldman on May 20, 2008

    What is the recommended products out there? from the following list:
    1. modsecurity.
    2. dotDefender.
    3. Imperva.
    4. BarracudaNetworks.
    5. Breach.
    Can you recommend on top features from the list above?
    Regards,
    Ann

  4. By Michael Dahn on May 20, 2008

    Ann, we do not specifically endorse any one product, and different products may work better for different environments.

    Don’t forget to check the updated guidance from the PCI SSC: http://pcianswers.com/2008/04/22/pci-ssc-clarifies-requirements-66-and-113/

Sorry, comments for this entry are closed at this time.