Web-Facing Applications
Filed Under (PCI DSS, Payment Applications) by Michael Dahn on April-15-2008

So the eternal question about the difference between PCI DSS 6.5 “web application” and the 6.6 “web-facing application”.  The intent of 6.5 is for internally developed, Internet and intranet facing web-applications.  PCI DSS 6.6 is meant for Internet-facing web-applications, and NOT for Intranet use.

But is it this simple?  Trey Ford does not think so and proposes that changes in the network edge make us reconsider scope and what “web applications” really mean.  Adobe AIR is moving web-applications to the desktop, cell phone, and intranet appliances.  Right now, we have the above definition for what is Internet facing vs. not, but one day in the future the landscape of web-applications may change.  Does not mean we may need web application firewalls (WAF) on the internal network?  Probably not, but as the attacks change so do the protection measures.

Popularity: 25% [?]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
   Read More


Comments
Oleg on April 16th, 2008 at 3:27 am #

Thank you, Mike!

Jeff Hall on April 16th, 2008 at 8:32 am #

As I recall, but cannot find. The card brands through the PCI SSC further clarified 6.6 by defining that it was ALL browser-based applications that faced “untrusted” networks. They defined “untrusted” networks as any network where the assessee does not have 100% control over the operation and management of the network.

Based on that definition, this would include browser-based applications that are used between business partners that do not use the Internet for communication.

wconway on April 16th, 2008 at 2:51 pm #

I know I’m speculating, but I can’t help but wonder whether with the emerging attack vectors, the next version of 6.6 will specify “ALL browser-based applications” that store, transmit, or process card data.

PCI Blog - Compliance Demystified » Blog Archive » Requirement 6.6 clarification on April 16th, 2008 at 10:59 pm #

[...] And don’t forget to read all about “web application” vs “web-facing applications” addthis_url = ‘http%3A%2F%2Fpcianswers.com%2F2008%2F04%2F16%2Frequirement-66-clarification%2F’; [...]

Evan on April 17th, 2008 at 6:21 am #

Your clarification that 6.5 is for internet AND intranet web apps appears to be in direct contradiction to the direction that Chris Marks gave in the February PCI class held on site at Visa headquarters. He said multiple times and we confirmed with him in person, that 6.5 (and 6.6) was only intended for external/internet facing web applications and not internal/intranet sites. It’s unfortunate that the PCI DSS leaves so much to interpretation and that we can’t even get consensus within the “expert” community.

Mitch on June 5th, 2008 at 3:34 pm #

I agree w/ Evan. I attended the May 2008 PCI class at Visa and was told the exact same thing by Chris. We also confirmed our understanding multiple times.

Post a comment
Name: 
Email: 
URL: 
Comments: