The PCI compliance service provides Web Application Scanning (WAS) to assist customers with meeting PCI DSS Requirement 6.6, which deals with security of web applications. The requirement calls for securing web applications using a variety of options.
The PCI compliance service provides an automated WAS module that allows users to crawl web applications, detect cross-site scripting and SQL injection vulnerabilities, and conduct authenticated and non-authenticated scanning to capture the perspective of both authorized and unauthorized users. The WAS solution automates the techniques used to identify most web vulnerabilities such as those in the OWASP Top 10 and WASC-TC, including SQL Injection and Cross-Site Scripting. The WAS module combines pattern recognition and observed behaviors to accurately identify and verify vulnerabilities.
Web application scanning is available in your account only when the Web Application Scanning (WAS) module is enabled for your subscription. The WAS module may be enabled for a trial period. If you would like to enable this feature, please contact Technical Support.
The PCI Council published a clarification document on the topic of Requirement 6.6 titled PCI DSS: Information Supplement: Application Reviews and Web Application Firewalls Clarified.
This document is published at the PCI Security Standards Council's web site:
https://www.pcisecuritystandards.org/security_standards/documents.php