On June 30, Requirement 6.6 of the Payment Card Industry (PCI) Data Security Standard (DSS) -- whose goal is to ensure that Web-facing applications are protected against known attacks by either completing a code review or installing a Web application firewall (WAF) -- moves from a best practice to a requirement.
In April, the PCI Security Standards Council, which oversees the standard, issued clarifications to 6.6, spelling out more clearly what a WAF needs to do, while at the same time breaking out four alternatives for doing a code review. Security professionals say the clarifications are a move in the right direction, but warn that as with any standard, there are limitations, and companies will still face some hurdles to meet the deadline if they are not already well on their way
What companies will have to do to be in compliance with Requirement 6. 6 is implement one of two options to protect Web applications. The first is a code review, and there are now four alternatives for doing a code review: