Web-Application Firewalls and PCI DSS Security
Build Web-Application Firewalls for PCI Compliance
PCI DSS addresses the security of cardholder data environments (CDE), encompassing the people, processes and technology that store, process, or transmit CHD or sensitive authentication data.
What Are Firewalls?
The official PCI glossary defines a “firewall” as: “Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.”
Furthermore, firewalls monitor information as it moves in and out of an environment while logging activity for later review. They can be incorporated into a router or into a separate device.
What Are Web-Application Firewalls?
Web-application firewalls serve as an automated technical solution that detects and prevents web-based attacks on a CDE. They filter and block non-essential traffic at the application layer, and can often be used to counteract vulnerabilities presented by incorrectly-coded or poorly-configured applications. These vulnerabilities include injection flaws; buffer overflows; insecure cryptographic storage and communications; improper error handling and access control; XSS; CSRF and broken authentication and session management. Web-application firewalls are necessary because public-facing web apps are among the top targets for attackers.
How Do Web-Application Firewalls Meet PCI DSS Standard?
Web-application firewalls are specifically mentioned in PCI DSS requirements 1.1, 6.6, the 6.6 supplement. In requirement 1.1, it is specified that a PCI entity must “[e]stablish and implement specific firewall and router configurations.” Requirement 6.6 goes further to cover the ways entities must develop and maintain secure systems and applications with software patches and other appropriate security measures. The 6.6 supplement provides guidance that can help entities determine the best option of the two recommendations that requirement 6.6 offers for addressing new threats on an ongoing basis and ensuring the applications’ protection.
Web-Application Firewalls: a Best Practice for CHD Security
When it comes to securing CHD, the use of web-application firewalls is not just part of PCI compliance requirements; it is a best practice for preventing attacks on a cardholder data environment. Given the threats of application layer attacks like DDoS attacks, and the value of CHD, web-application firewalls should be incorporated into your environment or PCI compliant hosting service if you maintain PCI data. And in fact, any site handling sensitive data and any business-critical site should consider using them as a best practice.