Information Supplement: Application Reviews and Web Application Firewalls Clarified

Payment Card Industry Data Security Standard (PCI DSS)Requirement 6.6 provides two options that are intended to address common threats to cardholder data and ensure that input to running web applications from untrusted environments is inspected "Top to Bottom." The intent of Requirement 6.6 is to ensure web applications exposed to the public Internet are continually protected against the most common types of threats while running and accepting input. There is a great deal of public information available regarding web application vulnerabilities. This paper provides guidance to assist in determining the best option, which can vary depending on products in use, how an organization procures or develops its web applications, and other factors within the environment.