What is Requirement 6.6?

      Since its formation, PCI DSS has gone through several iterations in order to keep up with changes to the online threat landscape.


      While the basic rules for compliance have remained constant, new requirements are periodically added.


      One of the more significant of these additions was Requirement 6.6, introduced in 2008.


      It was established to secure data against some of the most common web application attack vectors, including SQL injections, RFIs and other malicious inputs.


      Using such methods, perpetrators can potentially gain access to a host of data—including sensitive customer information.

      Satisfying this requirement can be achieved either through application code reviews or by implementing a web application firewall (WAF).

      The first option includes a manual review of web application source code coupled with a vulnerability assessment of application security. It requires a qualified internal resource or third party to run the review, while final approval must come from an outside organization. Moreover, the designated reviewer is required to stay up-to-date on the latest trends in web application security to ensure that all future threats are properly addressed.

    Alternately, businesses can safeguard against application layer attacks by using a WAF, deployed between the application and clients. The WAF inspects all incoming traffic and filters out malicious attacks.
  • pci requirement, 6.6, pci dss
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

 CVE-2007-4072 cms places full pathname of server in html comment fix

Description: Some CMS provide the full installation path within HTML comments in certain...

 CVE-2007-6197 Version numbers and internal hostnames leaked in HTML comments fix

Description: The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and...

 CVE-2009-2431 blog software leaks real username in html comment fix

Some applications place the username of a post's author in an HTML comment, which allows...

 CWE-540 Inclusion of Sensitive Information in Source Code fix

  Weakness ID: 540 Abstraction: BaseStructure: Simple Status: Incomplete...

 CWE-546 Suspicious Comment

 Description   The code contains comments that suggest the presence of bugs,...