01
Mar
09

Requirement 6.6 – The Misunderstood Requirement – Part 1

It still amazes me how many people do not understand PCI requirement 6.6.  Even after the PCI SSC issued a lengthy Information Supplement regarding requirement 6.6, people still do not understand it.  So, foolishly, I’m going to give it a shot.  However, remember, requirement 6.6 only applies to organizations that develop application software, not organizations that purchase solutions.  By developing applications, I do not mean custom reports, I am talking about application development that adds or changes functionality, particularly functionality regarding the processing, storing or transmitting of cardholder data (CHD).

For those that have forgotten, requirement 6.6 states:

“For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes, or installing a web-application firewall in front of public-facing web applications.”

Many people don’t understand the purpose of this requirement.  This requirement is in response to attackers moving from network-based attacks to application-based attacks.  This movement is because applications that run through a browser are essentially the same regardless of the browser.  As a result, an attack against a Windows system running Internet Explorer is highly likely to also be effective against a Macintosh with Safari or a Linux system running Firefox.  Is this a great world or what!

Another big change in requirement 6.6 was a changing of terminology.  Notice the wording has changed from v1.1 from ‘web facing’ to ‘public facing’.  Based on clarifications from the PCI SSC, they have defined ‘public facing’ as any application that processes, stores or transmits CHD that is used on a network.  Therefore, all applications, externally facing or internally facing, are now in-scope if they process, store or transmit CHD.  Even those applications that do not have a browser interface are in scope.  Granted these applications present an extremely low risk, but they still need to be assessed.  Why the change in terminology?  Because FBI statistics indicate that more than 70% of all attacks have some form of an internal component and if an attack can be performed externally, it also can likely be performed internally.

In the next posting, I’ll discuss the use of application firewalls as a method of compliance.


0 Responses to “Requirement 6.6 – The Misunderstood Requirement – Part 1”



  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  


%d bloggers like this: