6.6 PCI DSS (v3.2.1)
Compliance Standard
Compliance Version
Control ID
PCI DSS
(v3.2.1)
6.6
Requirement 6: Develop and maintain secure systems and applications
(v3.2.1)
For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.