Payment Card Industry (PCI) Requirement 6.6 went into effect on June 30, 2008. In order to meet this requirement, any Web applications that store, process, or transmit credit card information must be able to:
- Detect Vulnerabilities in Web-facing Application Code
- Prioritize, manage, and remediate vulnerabilities
- Validate and document that vulnerabilities have been corrected
How will your company comply with PCI Requirement 6.6 and, "ensure that all Web-facing applications are protected against known attacks?"
Satisfying the Auditors
No matter how well or how often you assess your websites, new vulnerabilities will be found. This makes satisfying your auditor's quarterly PCI 6.6 requirements a "can't win" situation. Current scanning options will generate a large volume of vulnerabilities, leading to a mad rush by developers to try and fix them in time. Added to that mix is the burden of filtering through the terrific volume of false positives generated. This can lead to application security paralysis. So, what do you do?