Archive for March 1st, 2009


Requirement 6.6 – The Misunderstood Requirement – Part 1

It still amazes me how many people do not understand PCI requirement 6.6.  Even after the PCI SSC issued a lengthy Information Supplement regarding requirement 6.6, people still do not understand it.  So, foolishly, I’m going to give it a shot.  However, remember, requirement 6.6 only applies to organizations that develop application software, not organizations that purchase solutions.  By developing applications, I do not mean custom reports, I am talking about application development that adds or changes functionality, particularly functionality regarding the processing, storing or transmitting of cardholder data (CHD).

For those that have forgotten, requirement 6.6 states:

“For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes, or installing a web-application firewall in front of public-facing web applications.”

Many people don’t understand the purpose of this requirement.  This requirement is in response to attackers moving from network-based attacks to application-based attacks.  This movement is because applications that run through a browser are essentially the same regardless of the browser.  As a result, an attack against a Windows system running Internet Explorer is highly likely to also be effective against a Macintosh with Safari or a Linux system running Firefox.  Is this a great world or what!

Another big change in requirement 6.6 was a changing of terminology.  Notice the wording has changed from v1.1 from ‘web facing’ to ‘public facing’.  Based on clarifications from the PCI SSC, they have defined ‘public facing’ as any application that processes, stores or transmits CHD that is used on a network.  Therefore, all applications, externally facing or internally facing, are now in-scope if they process, store or transmit CHD.  Even those applications that do not have a browser interface are in scope.  Granted these applications present an extremely low risk, but they still need to be assessed.  Why the change in terminology?  Because FBI statistics indicate that more than 70% of all attacks have some form of an internal component and if an attack can be performed externally, it also can likely be performed internally.

In the next posting, I’ll discuss the use of application firewalls as a method of compliance.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009