The deadline to comply with PCI DSS Requirement 6.6 was June 30th, 2008. Merchants have been given two options:
- Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
- Install an application-layer firewall in front of web-facing applications.
The driver behind this new requirement is that a large percentage of credit card breaches are due to SQL Injection, Cross Site Scripting (XSS) and Buffer Overflow attacks. The intent of this requirement is to eliminate those vulnerabilities which would contribute to a significant reduction in breaches. Here is the Information Supplement supplied by the PCI Security Standards Council.
Other related posts: