Olivier Le Moal - Fotolia

Get started Bring yourself up to speed with our introductory content.

How to meet PCI DSS requirement 6.6 and keep down costs

PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike Chapple analyzes which is the better option for cost efficiency.

PCI DSS Requirement 6.6 indicates that when it comes to application security, companies have two options to achieve compliance: use an application firewall or conduct a code review. My team would like to keep costs down, but which one is ultimately the less expensive option?

PCI DSS Requirement 6.6 requires the implementation of security controls to address the risks facing public-facing Web applications. If a company operates a public-facing Web presence as part of its cardholder data environment, there are two options for compliance: conducting Web vulnerability assessments or installing a Web application firewall.

It's not possible for me to give a simple answer regarding the cost without more information about your organization and its operating environment. In most cases, expect the Web application firewall to be the more cost-effective route, especially when staff time is taken into consideration. If a company chooses to install a Web application firewall and it already has a robust security monitoring infrastructure, once it's past the initial deployment and tuning phase, it can simply point the alerts at the monitoring infrastructure and handle them as part of the same workflow that addresses intrusion alerts and other security anomalies.

Vulnerability assessment may have lower direct costs related to licensing and hardware acquisition, but it is likely to consume much more staff time in running and interpreting the scan results. The important thing to note is that a Web vulnerability assessment requirement is not a one-time activity. Rather, it requires performing testing on at least an annual basis and after any changes to the Web application. If the code changes regularly, this can result in a significant burden on the security staff.

The bottom line is that it's important to evaluate these two options side by side in the context of the organization. Remember, this is not simply a compliance decision. Both options are valuable security tools, and companies should consider the role they play in their broader security program. In fact, while PCI DSS requires the implementation of only one of these controls, your own security requirements may suggest implementing them both simultaneously.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Need to know how to meet PCI DSS requirements 9 and 10? Mike Rothman has some advice.

Mike Chapple explains how to maintain PCI DSS compliance with Windows XP end-of-life.

This was last published in September 2014

Dig Deeper on PCI Data Security Standard