On July I wrote a blog post about the modified Requirement 6.6 in PCI DSS 3.0. I am not going into the details again, it’s sufficient to say that the new standard allows to operate a WAF in monitoring only mode without blocking requests:
6.6 For public-facing web applications, ensure that either of the following methods is in place as follows:
[..]
– Is configured to either block web-based attacks, or generate an alert.
That was a very strange change in PCI DSS 3.0 and I assumed it was some sort of typo error. I decided to send an E-Mail to the PCI Council to get some clarification about this change. It took some time, but I finally got a response. To sum up: It is no typo error.
The PCI Security Standards Council Response Team’s answer:
The intent of Requirement 6.6 is to ensure web-facing applications are protected from known attacks. One of the options defined by the requirement is to install an automated technical solution (such as WAF) that “detects and prevents” web-based attacks. The solution used can encompass a combination of technology and process. Where the solution includes a reliance on process, there must be mechanisms to ensure that processes are followed in order to prevent attacks and meet the intent of the requirement. For example, if a WAF is configured to “monitor only” rather than “block” attacks, there must also be real-time alerting and response procedures in place to react to, and thus prevent, incoming attacks in a timely manner.
The requirement wording is intended to allow organizations flexibility to choose protection methods that best meet their needs. Whichever mechanisms are employed, the required result is that attacks are prevented, not just identified.
I do understand the need of a company to not have an enforcing WAF. It’s about False Positive and how to handle this problem. Everyone who operates an Intrusion Detection System knows it: False Positives are a pain in the ass and it is really hard to get rid of them, but this problem will not disturb the business. When dealing with a WAF in enforcing mode this is different. A False Positive WAF block will indeed block legitimate traffic and can possibly disturb business processes. It’s quite hard to prevent this.
So now you can indeed operate a WAF in monitoring-only mode without violating PCI DSS, when having a 24/7 response team that is able to react on a WAF alert very quickly.