The great folks over at the PCI council have finally done something I agree with.  They have provided a clear and concise explanation of PCI 6.6.  Typically, their direction is unclear and left to the masses to decipher.

In the new PCI 6.6 supplement, the council has given more direction on how to meet the dreaded 6.6 (should be 6.6.6) before the June 30th deadline.  Originally, many thought 6.6 would require full code reviews or a web application firewall.  Then, based on comments from Bob Russo, it looked like a mix of reviews and scanning was in order.

Alas, we were all delighted to find out that the options for 6.6 are simple.

Option 1:

  •  Code Review which is subdivided into 4 options:
  • Manual code review of application source code
  • Proper use of automated source code analyzer (scanning) tools
  • Manual web application security vulnerability assessments
  • Proper use of automated web application security vulnerability assessment (scanning)
    tools.
  • WebApplication Firewall (WAF)

Now with that cleared, here is what I see.  All of the source code assessment tool companies and web application firewall companies are in a panic.  6.6 was their pay day, but now it appears we have an eaiser way to achieve this by running a web application scanner such as Webinspect.

While there is defiantly benefit in source code reviews and WAFs have their place, though disputed by many, performing a review with a scanner is much more cost effective.  At the end of the day, we are in business to make money and must make compromises between security and business. I think we have found that compromise for 6.6.