As most people know, merchants, financial institutions and anybody else who is involved in processing credit cards are subject to the PCI DSS compliance to reduce fraud and cybersecurity risks. This affects both brick-n-mortar stores and banks as well as card-not-present (CNP) transactions that happen online. PCI DSS requirements are overseen by the PCI Security Council.
Overview of PCI Requirements: “PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data — with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.” As outlined by https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf
PCI DSS standard has been around for many years, but as far as application security is concerned, its role is changing rapidly.
Requirement: 6.6 Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic
If you talk to any WAF vendors, they will tell you this is the requirement where web application security tools are needed. However, as systems develop, communications become more encapsulated over standard protocols and much of infrastructure becomes software defined, the implementation of the 12 high-level PCI requirements changes as well.
In the recent “Prioritized Approach for PCI DSS” document the Council provides the roadmap for how stakeholders can focus their efforts to reduce
risk earlier in the compliance process.
In this new roadmap, securing the application takes a very prominent position and becomes a macro-milestone (milestone #3 as outlined in the table)
Wallarm has recently published a whitepaper which details how PCI DSS requirements for application security map to the specific features and benefits provided by the Wallarm Application Security Platform. Of course, the most relevant requirement around application security is Requirement 6: Develop and maintain secure systems and applications.
Requirement 6 specifies the need for protection from OWASP Top 10 and other application-level threats with a WAF or similar compensating controls.
In addition to the requirement 6.6, the mapping includes requirements
1.1.2, 1.2, 2.1, 2.1.1, 2.4, 2.5, 3.2, 3.3, 3.4, 5.2, 6.1, 6.2, 6.4, 6.5, 6.7
Explanation of the specific requirements & the mappings can be found in the Appendix to the white paper.