The only way to effectively deal with this is is to never ever display user input back without HTMLEncoding first (or applying some sort of encoding). The problem is that you can apply all sorts of string variations to hack through this.

As far as PCI compliance goes you shouldn't have a ton of open access links that accept form input without authentication of some sort. Authentication will thwart most auto PCI scanners basically blocking access to your content. Minimizing the amount of input opportunities that are allowed to non-authenticated users is step one in this process.

+++ Rick ---

Security Metrics notified me that my site was not passing a new compliance test that they added. The guy told me the exact reason I am failing is because my web site will return a response with this entered into my email address login: "><script>alert('XSS')</script>

The server will respond XSS. They told me that my server can not respond to this type of request because it is a security weakness. (cross site scripting)

We tried to setup an "email trap" for the phrase: "><script>alert('XSS')</script> and issue a 404 response. It is not working because IIS will process the request.

Here is the code I am using to try and "trap" this request:

IF ATC(["><script>alert('XSS')</script>],pcUsername) > 0 .OR. ATC([>],pcUsername) > 0 && ><script>alert('XSS' </script> we send a 404 response
oHeader = CREATE("wwHTTPHeader",Response)
oHeader.setprotocol([HTTP/1.1 404 Not Found])
oHeader.CompleteHeader()

If i enter this: "><script>alert('XSS')</script> the webserver responds with XSS

How can I prevent this request from being processed and make my site PCI compliant again?

Here is a article i found about this known issue: http://www.ibm.com/developerworks/tivoli/library/s-csscript/

Thanks!