PCI DSS 6.6 Compliance

• PCI DSS 6.6
• What is PCI?
• PCI DSS Levels
• dotDefender meets PCI DSS 6.6

How does dotDefender support your business to meet PCI DSS?

dotDefender enables companies to address challenging PCI requirements in a straightforward and cost-effective manner. dotDefender fulfills the application layer firewall requirement in PCI DSS 6.6. In addition to meeting PCI compliance regulations, dotDefender offers comprehensive protection against SQL injection, cross-site scripting and scores of other application-level attacks.
dotDefender creates a security layer in front of the application. It detects and protects against application-level attacks in incoming web traffic that could be used to compromise the server and steal credit card and other corporate data. dotDefender is an out of-the-box, rule-based security solution providing immediate and highly accurate application-level security according to PCI DSS 6.6 standards. 

Using a Web Application Firewall instead of Code Review

PCI DSS 6.6 requires organizations to ensure the highest leve lof application security. It offers two alternatives: yearly code reviews or a web application firewall.

Code review

The first alternative may provide a high level of security, but can end up being very costly. Organizations typically use several applications and add new ones all the time. The total cost of code reviews is comprised of the review itself, and the effort needed to fix the vulnerabilities it identifies. The IT team will need to prepare the code for review, and be available for queries and support to the reviewers. Then, after the consultants submit a vulnerabilities report, your organization will need to schedule fix and test cycles to make sure the changes work as expected.
This “find, fix, and test” cycle does not always find all of the vulnerabilities in an
application, resulting in more cycles. What’s more, QA will need to verify that security fixes does not interfere with business functionality.
Therefore, any organization choosing this alternative should allocate the following
resources yearly:
• Services by application security specialists
• IT resources to manage the code review process
• Development resources for eliminating vulnerabilities
• QA resources
• R&D risks entailed by development of security fixes and features

Thus, the second alternative — deploying a web application firewall — becomes
attractive, as it provides a one-time compliance solution.
 

The Web Application Firewall Solution

Web application firewalls focus on protecting, rather than identifying security problems. They detect web attacks in incoming traffic, thereby create a security layer in front of the application.
This approach offers the following advantages:
• One time investment in PCI compliance
• A solution for security problem without development effort
• Suitable for 3rd party applications and components