The organization will ensure that all web-facing applications have application layer firewalls installed and properly configured. [UCF ID 01450]
Supporting and supported controls
This control directly supports:
• Establish and maintain firewall design and configuration practices [UCF Control ID 00544]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
The Standard of Good Practice for Information Security CB6.4.3(a), SD4.6.4(a); Payment Card Industry Self-Assessment Questionnaire D § 6.6; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 6.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 6.6
Credit Card Guidance
PCI-DSS, § 6.6 calls for the organization to ensure that all web-facing applications are protected against known attacks by installing an application-layer firewall in front of web-facing applications.
The Payment Card Industry's Security Audit Procedures § 6.6 states that the auditor should for web-based applications, ensure that one of the following methods are in place as follows:
• Verify that custom application code is periodically reviewed by an organization that specializes in application security; that all coding vulnerabilities were corrected; and that the application was reevaluated after the corrections
• Verify that an application-layer firewall is in place in front of web-facing applications to detect and prevent web-based attacks.
The Visa Payment Application Best Practices (PABP) § 8.1 states that the application should run on a network with application-layer firewalls to ensure the application is operating in a secure network environment. Measures should be taken to ensure the application does not interfere with application-layer firewalls.
The Payment Card Industry Self-Assessment Questionnaire D § 6.6 states that to protect web-facing applications against known attacks, an application layer firewall should be installed or custom application code should be reviewed by an organization specializing in application security. After June 30, 2008, this becomes a requirement. Currently, it is considered a best practice.
§ 6.6 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization must ensure public-facing web applications are protected by installing a web-application firewall or reviewing the applications at least annually and after changes are made with an automated or manual security assessment tool.
§ 6.6 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must ensure public-facing web applications are protected by installing a web-application firewall or reviewing the applications at least annually and after changes are made with an automated or manual security assessment tool.
NIST Guidance
§ 6.6 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must ensure public-facing web applications are protected by installing a web-application firewall or reviewing the applications at least annually and after changes are made with an automated or manual security assessment tool.
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02116.doc