PCI DSS Requirement 6.6: Web Application Firewalls and Code Reviews

On June 30, 2008, PCI DSS requirement 6.6 takes effect, requiring that all merchants who operate public websites implement at least one of two controls:

  • Install a web application firewall
  • Perform application code reviews

Until recently, the meaning of these requirements has been quite unclear and subject to interpretation.  However, with the recent release of an information supplement, the PCI Security Standards Council clarified the requirements and laid out a clear path to compliance for merchants.  Let’s take a brief look at each of the two options.

(continue reading…)