PCI DSS stands for Payment Card Industry Data Security Standard. Its purpose is to make credit card transactions between merchants and users more secure. Over the past four years, the PCI has created a council, the Security Standards Council, which has put rules in place designed to encourage greater software security. Requirement 6.6, which turned from a best practice into an actual requirement on June 30, 2008, addresses Web application security specifically. It is considered by many in the security field to be an inadequate requirement but nonetheless a step in the right direction.
These tips, articles, expert responses, book excerpts, and webcasts will help you figure out how to comply with PCI DSS requirement 6.6 and increase your application security. If you have any resources that you would like to share, or have suggestions for a future Learning Guide topic, please email me.
| PCI DSS compliance: The basics
Requirement 6.6 of the PCI DSS specifies that merchants must either implement code reviews or install a Web application firewall (WAF) to be in compliance. Ideally, security experts agree, companies will do both.
The PCI DSS has been clarified and added to several times over the years. This section includes an overview of requirement 6.6 in its present state and how it came to be.
WhatIs.com definition: PCI DSS
PCI DSS compliance: Web application firewall or code review?: Security leaders break down PCI DSS and its options for compliance. While many see requirement 6.6 as a step in the right direction, there are concerns about misapplication and that, even when applied perfectly, these measures are simply not enough.
Expert advice: PCI DSS compliance: WAF, code review or both?: Application security expert Caleb Sima explains how both options work to help you decide which option is best.
Article: PCI council formed; revised standard includes app security requirement: This story includes commentary about PCI DSS requirement 6.6, an application security rule which recommends either source code review or installment of Web application firewalls.
Article: PCI Security Standards Council to address application security requirements: This article fleshes out some of the software security issues companies may have to face when complying with PCI DSS beyond requirement 6.6.
Article: PCI deadline looms, but standard still packs little punch: As the title implies, many in the security industry are concerned that even full compliance with requirement 6.6 still leaves companies wide open to security breaches.
Article: Information supplement: Requirement 6.6 code reviews and application firewalls clarified: (PDF) Here is an information supplement straight from the PCI Security Standards Council.
Expert advice: Complying with the PCI Data Security Standard: Application security expert Jeremiah Grossman offers more ideas for what you need to do to become PCI compliant.
Article: PCI compliance and Web applications: Code review or firewalls?: Security expert Michael Cobb offers his take on the advantages of adopting either course of action for requirement 6.6.
Blog: PCI blog -- Compliance demystified: This is a "PCI DSS and regulatory compliance blog" from the Aegenis Group. There is a lot of good information to be found here. Definitions, roles and responsibilities of PCI may clear up some basic questions for those interested in PCI, such as the difference between PCI DSS and PCI PED. Information specific to PCI DSS is found here.
Visit our next section on code review.
Dig deeper on Building security into the SDLC (Software development life cycle)