Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Source: PCI Security Standards Council
The intent of Requirement 6.6 is to ensure web applications exposed to the public Internet are protected against the most common types of malicious input. There is a great deal of public information available regarding web application vulnerabilities. The minimum vulnerabilities to consider are described in Requirement 6.5. Proper implementation of both options would provide the best multi-layered defense. PCI SSC recognizes that the cost and operational complexity of deploying both options may not be feasible. Further, one or the other option may not be possible in some situations (no access to source code, for example).