On the one hand, it gives a number of pen testing boutiques the opportunity to gain some business. But let’s step back and think of it for a moment - does it lend any additional security to the merchant apps than if they do not adhere to this requirement? In my opinion it does not.

For years now, security practitioners have tried to drive people away from thinking that security software is software security. PCI DSS #6.6 states exactly that. A web application firewall is an easy method to be compliant - since a code review is an expensive proposition, consumes significant time and the results need a lot more work to be presented meaningfully. Then, there is the question of manual versus automated analysis, and employing a certified vendor such as Cigital (shameless plug) to perform the task. My experience has indicated that even a somewhat meaningful code review (automated coupled with manual filtering and prioritization based on business risks) requires a framework, a basic acceptance of limitations and provisions, to be in place for the venture to succeed. Web application firewalls do have their own place in the scheme of things, but does the industry need any more band-aid solutions?

I think this requirement is self-defeating, in that the DSS purports to protect data - customer data as well as that of interest to the merchant or vendor - but gives the merchant an option of being compliant and yet not responsible for truly ensuring such security.