The PCI Security Standards Council announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls.
Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts. Both information supplements are now available on the Council’s website.
These Information Supplements are one of the Council’s methods to provide clarification and guidance on the PCI DSS. The Council, in conjunction with the payment card industry and its Participating Organizations – now numbering more than 440 companies from around the globe – utilizes these Information Supplements to assist merchants and service providers to adopt PCI DSS and protect customer cardholder data.
Requirement 11.3 addresses penetration testing, which includes network and application layer testing, as well as controls and processes around the networks and applications. Such testing is invaluable to ensuring that both networks and applications are protected from outside intrusion. The Information Supplement for Requirement 11.3 provides guidance on who can perform penetration testing, what the scope of such testing entails, the frequency of such tests, preparation for these tests, testing methodology and components of testing techniques.
Requirement 6.6, which becomes effective on June 30, 2008, provides two options which are intended to address common threats to cardholder data and ensure that input to web applications from un-trusted environments is fully inspected. The Information Supplement for this requirement gives organizations clarification on implementing application code reviews (option one) and/or application firewalls (option two).
The first option for application code review for meeting Requirement 6.6 is now subdivided into four alternatives designed to meet the intent of the requirement. They include:
- Manual review of application source code.
- Proper use of automated source code analyzer (scanning) tools.
- Manual web application security vulnerability assessments.
- Proper use of automated web application security vulnerability assessment (scanning) tools.
The second option for Requirement 6.6 is a Web Application Firewall (WAF) which is a security policy enforcement point positioned between a web application and a client end point. The Information Supplement provides recommended capabilities of a select WAF, additional recommended capabilities for certain environments, additional considerations for organizations implementing a WAF and additional sources of information on Web application security.