Before you decide whether a source code review or Web application firewalls best meet your PCI DSS compliance needs, I recommend taking time to fully understand PCI's Web application requirements, including the clarification documents, and consider how the approved options mesh with your architecture and resources. It is now clear that enterprises have multiple paths to compliance and, if executed properly, any of the options will not only help achieve compliance, but also improve Web application security.

Of course, there is no one-size-fits-all approach to application security. Unless you are in the fortunate position to be able to both conduct code reviews and run a WAF, it looks like the choice may simply come down to people. Does the enterprise have staff that can: