About Web-Application Firewalls for PCI Compliance

The primary focus of the PCI DSS is on the security of cardholder data environments (CDE), which encompasses the people, processes and technology that store, process, or transmit CHD or sensitive authentication data. Some of the most important parts of that technology are the network components. Included in these components are firewalls, a vital line of defense in the protection of IT environments.

What Are Firewalls?

The official PCI glossary defines a “firewall” as:

“Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.”

Furthermore, firewalls monitor information as it moves in and out of an environment while logging activity for later review. They can be incorporated into a router or into a separate device.

What Are Web-Application Firewalls?

As detailed in the PCI DSS, web-application firewalls serve as an automated technical solution that detects and prevents web-based attacks on a CDE. They filter and block non-essential traffic at the application layer, and can often be used to counteract vulnerabilities presented by incorrectly-coded or poorly-configured applications. These vulnerabilities include injection flaws; buffer overflows; insecure cryptographic storage and communications; improper error handling and access control; XSS; CSRF and broken authentication and session management. Web-application firewalls are necessary because public-facing web apps are among the top targets for attackers.

So what about traditional firewalls vs. web-application firewalls? In short, the difference is that a web-application firewall is a type of firewall with specific functionality for web servers. Web-application firewalls discriminate between allowance of different types of network traffic to ensure a more secure environment, adding a smarter layer of protection between user, server/router and data.

Web-Application Firewalls According to the PCI DSS

Web-application firewalls are specifically mentioned in PCI DSS requirements 1.1, 6.6, the 6.6 supplement. In requirement 1.1, it is specified that a PCI entity must “[e]stablish and implement specific firewall and router configurations.” Requirement 6.6 goes further to cover the ways entities must develop and maintain secure systems and applications with software patches and other appropriate security measures. The 6.6 supplement provides guidance that can help entities determine the best option of the two recommendations that requirement 6.6 offers for addressing new threats on an ongoing basis and ensuring the applications’ protection.

Web-Application Firewalls: A Best Practice for CHD Security

When it comes to securing CHD, the use of web-application firewalls is not just part of PCI compliance requirements; it is a best practice for preventing attacks on a cardholder data environment. Given the threats of application layer attacks like DDoS attacks, and the value of CHD, web-application firewalls should be incorporated into your environment or PCI compliant hosting service if you maintain PCI data. And in fact, any site handling sensitive data and any business-critical site should consider using them as a best practice.