“Public-facing” web applications are those that are accessible over the Internet, as opposed to intranet applications intended solely for a company’s internal use. Because these applications are open to the general public, they are subject to all the usual Internet-based hazards. It should be no surprise, then, to find that these public-facing web applications are subject to PCI Data Security Standard (PCI DSS) requirements. In order to ensure that companies manage these applications properly, the PCI DSS requires compliance with one of the security practices listed below:
- Companies must review their public-facing web applications at least once per year and after any changes are made to the system. This review should be performed with manual or automated vulnerability assessment tools, and the entity responsible for this evaluation must be distinct from the application’s development team. All vulnerabilities that are found must be patched or otherwise addressed.
- Companies must install a web-application firewall in front of the application in order to thwart Internet-based cyberattacks.