News Stay informed about the latest enterprise technology news and product updates.

PCI Council issues clarification on Web application security

The PCI Security Standards Council released documentation hoping to reduce a tide of confusion over enforcement of application firewalls and code reviews.

Responding to a wave of criticism and confusion surrounding the imminent deadline for a new section of the PCI Data Security Standard regarding Web application security, the PCI Security Standards Council on Tuesday released documentation intended to clarify the requirements for securing Web applications.

The intent of Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input.
PCI Security Standards Council,

The clarification is meant to settle some of the confusion regarding the pending enforcement of PCI DSS Requirement 6.6 , which covers application firewalls and code reviews.

Security practitioners and industry observers had criticized the language in the new requirement, saying that it was unclear whether organizations needed to perform a code review and deploy a Web application firewall, or whether one or the other is sufficient. The new document explains that companies can do either the code review or install the application firewall, but that the council would ideally like to see them do both.

"The intent of Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input. There is a great deal of public information available regarding Web application vulnerabilities," the council wrote in its guidance. "Proper implementation of both options would provide the best multi-layered defense. PCI SSC recognizes that the cost and operational complexity of deploying both options may not be feasible. Further, one or the other option may not be possible in some situations. However, it should be possible to apply at least one of the alternatives described in this paper and proper implementation can meet the intent of the requirement."

Next version of PCI DSS due in September: PCI Security Standards Council GM Bob Russo says tweaks and clarifications are expected in the areas of wireless and application security.

PCI DSS emergency: What to do if you're (very) late to the game: The PCI DSS compliance deadline has already passed for top-tier merchants, and an even larger group of enterprises will face their deadline at the end of 2007.

A new twist on PCI DSS: Visa's Payment Application Best Practices
: To force more security into payment application development procedures, the Payment Card Industry Security Standards Council is in the process of adding a new provision to the PCI Data Security Standard (DSS), one based on Visa's Payment Application Best Practices (PABP).

For organizations considering the application code review option, the PCI SSC laid out some more detailed information on what qualifies as a code review. For example, the new guidance defines such reviews as being "dynamic and pro-active, requiring the specific initiation of a manual or automated process." The four options for code reviews that meet Requirement 6.6 include:

  • Manual review of application source code
  • Proper use of automated application source code analyzer tools
  • Manual Web application security vulnerability assessment
  • Proper use of automated Web application security vulnerability assessment tools

As for the Web application firewall, the PCI SSC specifies that the firewall be "a security policy enforcement point positioned between a Web application and the client end point." That's a fairly broad definition, and the new guidance further broadens it by saying that the firewall can be either a dedicated appliance or a software application running on a server.

However, the council is careful to say that simply deploying one of these protection methods is not enough to guarantee compliance with Requirement 6.6. "Note that compliance is not assured by merely implementing a product with the capabilities described in this paper," the guidance says. "Implementing a [Web application firewall] is one option to meet Requirement 6.6 and does not eliminate the need for a secure software development process."

Requirement 6.6 is due to go into effect on June 30.

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.