Under PCI DSS 6.6, which activity is recommended to protect public-facing web applications?

• A. Regular penetration testing only
• B. Disable all public-facing apps
• C. Only rely on secure coding practices
• D. Automated protection that detects and prevents web-based attacks (e.g., a web-application firewall)

Answer: (D)

Public-facing web applications face ongoing threats at runtime, so you need a protection mechanism that acts in real time. A web application firewall provides automated protection by inspecting HTTP/S traffic, recognizing known attack patterns, and blocking them before they reach the app. This aligns with PCI DSS 6.6 by delivering continuous, proactive defense against web-based attacks. Penetration testing is important but only periodic; it cannot stop every attack as it happens. Turning off all public-facing apps isn’t practical, and relying solely on secure coding leaves deployed environments vulnerable to new or misconfigured issues. Automated protection like a WAF offers the ongoing, real-time safeguard that public-facing web apps need.