PCI DSS Compliance with Zeus Application Firewall Module

Key Acronyms
  • PCI: Payment Card Industry
  • PCI SSC: PCI Security Standards Council, an industry standard group that, amongst other activities, promotes the PCI DSS.
  • PCI DSS: PCI Data Security Standard, a statement of best practices and security measures for organizations handling cardholder data.

PCI DSS Compliance with Zeus Application Firewall Module

PCI DSS (Payment Card Industry Data Security Standard) is a pragmatic set of best practices and security measures that any organization must follow if they accept and handle cardholder data online. The standard encompasses network security, data protection, data encryption, system security, access control, ongoing monitoring and testing and security policy development.

The PCI DSS standard (revision 1.2, section 6.6) requires that organizations install a Web Application Firewall in front of public-facing web applications (as an alternative to costly annual code reviews):

For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
  • Installing a web-application firewall in front of public-facing web applications
ZXTM AFM White Paper

Zeus Application Firewall Module is designed specifically to meet the requirements of PCI DSS section 6.6, and the capabilites of Zeus Traffic Manager can be deployed to meet other aspects of the PCI DSS standard.

PCI DSS Checklist

Recommendations for compliance

  • Install Zeus Application Firewall Module and create an application configuration for the web application you wish to protect.
  • Create a ruleset to protect the application, and deploy it initially in ‘detect’ or ‘shadow’ mode to test the security policy.
  • Apply the Baseline Protection Wizard to the ruleset to configure the core protection rules.
  • Apply the Secure Session Wizard to configure Cookie Jar protection and encryption of session cookies.
  • Apply the Payment Card Industry Wizard to protect against leakage of unmasked credit card numbers.

Verify the correct operation of your ruleset against test and live traffic, ensuring that no false positives (valid requests that would be dropped) occur.

Deploy your ruleset in ‘protection’ mode to secure your application.

Additional tasks

  • Use the Suggest Rules Wizard to analyze live traffic and suggest additional protection rules.
  • Use the Parameter Ruleset Creation Wizard to analyze form parameters and suggest additional validation rules.
  • Deploy the Invalid URL Handler to drop malformed HTTP requests.
  • Deploy the Protect Form Handler to protect any forms that include hidden or protected form fields.
  • Selectively deploy the URL Encryption Handler to protect parts of your web site that may be vulnerable to direct URL access.

Review your configuration in Expert Mode, paying particular attention to when handlers are applied using preconditions. For maximum performance, any handlers that modify page content need not be invoked against pages that do not contain or process risky content such as forms and form handlers.

Test all rules in ‘detection’ mode before deploying them in ‘protection’ mode.

Put measures in place to monitor attack logs and deploy baseline protection updates as they become available.

Contact Us Now

Call Zeus

EMEA: +44 1223 525000
US: 1-888-ZEUS-INC

Staying in touch

Email usZeus BlogZeus KnowledgeHub

Share with a friend

Email this page to a friend

 

© Zeus Technology Ltd