In version 1.1.1 of the PCI DSS (Payment Card Industry Data Security Standard), there are requirements for securing the application layer of a credit card handler’s information system. This is a great step forward, imo, as it will address the layer with the majority of defects (finally) since we continue to write and buy insecure software. However, there is a clause in requirement section #6 that states that all web-facing applications must be protected against known attacks by applying either of the following methods.”]
Source: https://www.csoonline.com/article/2135966/does-the-pci-standards-council-have-a-clue-.html