Which statement best describes PCI DSS 6.6 for public-facing web applications?

• A. It requires vulnerability scanning only, at least annually and after changes.
• B. It requires either an annual vulnerability assessment or a web-application firewall in front of public-facing web applications.
• C. It requires only automated code analysis for public-facing apps.
• D. It requires no ongoing protection beyond basic firewall.

Answer: (B)

Public-facing web applications need extra protection beyond standard controls. PCI DSS 6.6 allows two valid paths to achieve this: either place a web application firewall in front of the public-facing apps to block common and targeted attacks, or implement secure development practices for those applications that include regular vulnerability assessments of the custom code and remediation of any issues found. The first option provides real-time protection through filtering, while the second relies on ongoing testing and code review to catch flaws introduced during development. Vulnerability scanning alone, or relying only on automated code analysis, does not meet this requirement because 6.6 focuses on either protective tooling (a WAF) or a formal secure development process with vulnerability assessments. Claiming there is no ongoing protection beyond a basic firewall is incorrect, since 6.6 explicitly requires one of these additional measures for public-facing applications. In practice, an organization can comply by deploying a WAF or by establishing a secure SDLC that includes annual vulnerability assessments and remediation for custom code.