Secure Payments, PCI DSS, Regulatory Compliance Blog

Web-Facing Applications

April 15th, 2008 by admin Posted in PCI DSS, Payment Applications

So the eternal question about the difference between PCI DSS 6.5 “web application” and the 6.6 “web-facing application”.  The intent of 6.5 is for internally developed, Internet and intranet facing web-applications.  PCI DSS 6.6 is meant for Internet-facing web-applications, and NOT for Intranet use.

But is it this simple?  Trey Ford does not think so and proposes that changes in the network edge make us reconsider scope and what “web applications” really mean.  Adobe AIR is moving web-applications to the desktop, cell phone, and intranet appliances.  Right now, we have the above definition for what is Internet facing vs. not, but one day in the future the landscape of web-applications may change.  Does not mean we may need web application firewalls (WAF) on the internal network?  Probably not, but as the attacks change so do the protection measures.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 6 Responses to “Web-Facing Applications”

  2. By Oleg on Apr 16, 2008

    Thank you, Mike!

  3. By Jeff Hall on Apr 16, 2008

    As I recall, but cannot find. The card brands through the PCI SSC further clarified 6.6 by defining that it was ALL browser-based applications that faced “untrusted” networks. They defined “untrusted” networks as any network where the assessee does not have 100% control over the operation and management of the network.

    Based on that definition, this would include browser-based applications that are used between business partners that do not use the Internet for communication.

  4. By wconway on Apr 16, 2008

    I know I’m speculating, but I can’t help but wonder whether with the emerging attack vectors, the next version of 6.6 will specify “ALL browser-based applications” that store, transmit, or process card data.

  5. By Evan on Apr 17, 2008

    Your clarification that 6.5 is for internet AND intranet web apps appears to be in direct contradiction to the direction that Chris Marks gave in the February PCI class held on site at Visa headquarters. He said multiple times and we confirmed with him in person, that 6.5 (and 6.6) was only intended for external/internet facing web applications and not internal/intranet sites. It’s unfortunate that the PCI DSS leaves so much to interpretation and that we can’t even get consensus within the “expert” community.

  6. By Mitch on Jun 5, 2008

    I agree w/ Evan. I attended the May 2008 PCI class at Visa and was told the exact same thing by Chris. We also confirmed our understanding multiple times.

  1. 1 Trackback(s)

  2. Apr 16, 2008: PCI Blog - Compliance Demystified » Blog Archive » Requirement 6.6 clarification

Sorry, comments for this entry are closed at this time.