6.4 Public-facing web applications are protected against attacks.

This requirement focuses on protecting public-facing web applications from attacks and vulnerabilities. It covers ongoing threat assessment, implementation of protective measures, and management of payment page scripts to prevent exploitation by attackers.

Sub-requirements:

Requirement 6.4.1: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis
Requirement 6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks
Requirement 6.4.3: All payment page scripts that are loaded and executed in the consumer's browser are managed

6.4. Public-facing web applications are protected against attacks.

Ensure all public-facing web applications are protected against known attacks using technical and process controls.

https://WithPCI.com

Sub-requirements

Test Points

Moderate-High (4.3)

Implementation Difficulty

Control Types

Technical

Process

Technical: 3

Process: 1

Key Risks

Web application compromise

Automated attacks (e.g., bots, credential stuffing)

Unpatched vulnerabilities

Frequently Asked Questions

How are public-facing web applications protected?

By using web application firewalls (WAFs), regular vulnerability scanning, and bot mitigation controls.

What are automated attacks?

Attacks carried out by bots or scripts, such as credential stuffing or scraping.

How often should web applications be tested for vulnerabilities?

Regularly, and after any significant changes or new deployments.

What is a WAF?

A Web Application Firewall is a security solution that filters, monitors, and blocks HTTP traffic to and from a web application.

Who is responsible for web application security?

Web application developers, IT security teams, and system administrators.

Common QSA Questions

Can you show evidence of WAF deployment and configuration?

Yes, we have documentation and logs showing WAF is deployed and actively protecting our web applications.

How do you detect and respond to automated attacks?

We use bot mitigation tools and monitor for suspicious activity.

How are vulnerabilities in web applications identified and remediated?

Through regular scanning, code reviews, and prompt remediation processes.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.