Who's Online
There are currently, 157 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST: PCI DSS Standard
[ Go to Home | Select a New Topic ] |
|
New PCI standard has been finalized
Posted by cdupuis on Sunday, 31 October 2010 @ 03:13:34 EDT (1563 reads)
Topic PCI DSS Standard
As seen on the fantastic Bank InfoSecurity web site at: http://www.bankinfosecurity.com/p_print.php?t=a&id=3043
New PCI Standards Finalized
Questions Still Remain About EMV, Tokenization
Linda McGlasson, Managing Editor
October 28, 2010
While there are no significant changes in the latest iteration of the Payment Card Industry Data Security Standard, outstanding questions remain about the emerging technology guidance that was released earlier this month.
The final version of PCI version 2.0 has just been released this week. It goes into effect on Jan. 1 but impacted entities have until Dec. 31, 2011, to become fully compliant.
"The biggest thing we've learned from this round of changes is that the PCI standards are maturing, and maturing gracefully," says Bob Russo, general manager of the PCI Security Standards Council, which oversaw the latest round of revisions, and while there are not many changes to the standard this time around, "it is clear to the council that different technologies that offer additional layers of security will be very important moving forward," Russo says.
PCI 2.0
There are 12 proposed changes in versions 2.0 of the PCI-DSS, as well as the PCI Payment Application Data Security Standard. The changes fall into three main categories:
- Clarification: Clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements;
- Additional Guidance: Provides further information on a particular topic to increase understanding of the intent of the requirement;
- Evolving Requirement: Ensures the standards are up-to-date with emerging threats and changes in the marketplace.
Key updates include:
- Reinforcement of the need for a thorough scoping exercise prior to the PCI-DSS assessment, in order to understand where cardholder data resides;
- Support for centralized logging included in the PCI PA-DSS to promote more effective log management;
- Validation, within certain requirements, of a risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities; and
- Greater alignment between PCI-DSS and PA-DSS requirements to facilitate stronger security practices.
Those amendments were first introduced in August and then discussed at length during the North American PCI Community Meeting in September.
Emerging Technologies
Emerging technology standards, including ones on tokenization and encryption will be addressed in the future, Russo says. The council issued its first guidance on EMV and encryption during in October.
"When we first started looking at the emerging technologies, we looked at strengthening the existing standards by adding additional layers of technology, including EMV, point-to-point encryption and tokenization," Russo says. EMV is the chip standard that has been widely adopted throughout Europe as well as other parts of the world, including Canada and Mexico. EMV aims to replace magnetic-stripe technology, which continues to linger in the U.S.
The PCI Council reached out to industry security experts on these emerging technologies. "There was great interest in these emerging technologies, and some very large special interest groups have been working on the guidance," he says. In fact, the council's whitepaper on EMV was reviewed by EMVCo, the body that created the standard. "It is a start, and the groups will be making some recommendations going into 2011 on the EMV and encryption technologies, along with tokenization," Russo says. No standards exist for point-to-point, or P2P, encryption and tokenization. "We will have to study how they cut the cardholder data environment, and, therefore, possibly cut the scope," he says.
Training, Merchant Education
An additional program the PCI Council announced is the PCI Internal Security Assessor Program. The program offers training to help corporations internally assess their security programs. The PCI Council also is opening a micro website for retailers who need more information and education about PCI requirements and compliance. This website's unveiling comes at the right time, as security experts recently noticed a PCI compliance gap between larger retailers and smaller merchants. Criminals are beginning to move "down the food chain to target Level 3 and Level 4 retailers with cyber and physical attacks," Russo says.
PCI DSS Guide from Microsoft
Posted by cdupuis on Saturday, 31 October 2009 @ 13:06:43 EDT (2492 reads)
Topic PCI DSS Standard
As posted by Prakash on my CISSPStudy mailing list:
Hello all,
I would like to share Payment Card Industry Data Security Standard Compliance Planning Guide from Microsoft.
It is designed to help organizations meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Specifically, this guide is targeted to merchants that accept payment cards, financial institutions that process payment card transactions, and service providers—third-party companies that provide payment card processing or data storage services. IT solutions for each of these groups must meet all PCI DSS requirements.
The guide is intended to augment The Regulatory Compliance Planning Guide, which introduces a framework-based approach to creating IT controls as part of your efforts to comply with multiple regulations and standards. This guide also describes Microsoft products and technology solutions that you can use to implement a series of IT controls to help meet the PCI DSS requirements, as well as any other regulatory obligations your organization may have.
DOWNLOAD
http://www.microsoft.com/downloads/details.aspx?FamilyID=D8320DF1-D0D0-469F-A6FC-B53987BD74C2
PCI-DSS guidelines on wireless security have been released
Posted by cdupuis on Saturday, 18 July 2009 @ 10:25:52 EDT (2096 reads)
Topic PCI DSS Standard
Payment Standard for Web Apps Goes Live
Posted by boss on Thursday, 10 July 2008 @ 22:37:58 EDT (8906 reads)
Topic PCI DSS Standard
Anonymous writes "7/3/2008 By Jabulani Leffall
A new payment card industry (PCI) standard for Web application firewalls and source code went into effect July 1st.
The PCI Industry Data Security standard 6.6 gives merchants a framework to ensure that the point-of-sale information uploaded into browser-based applications is sound from "top to bottom," the organization's literature said.
The standard can be used to help thwart common threats to cardholder data. It provides two options for retailers. Option one includes periodic manual reviews of application source code to ensure the code is not tampered with in conjunction with an application. The second option calls for cutting off hackers at the network level. It entails implementing what the PCI calls a "security policy enforcement point positioned between a web application and the client end point" while using a firewall. Tests of the firewall's functionality -- whether implemented through software or hardware -- need to be do*****ented for compliance purposes. The standard recommends inspecting the "contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application." But there is still no word on what the penalties for noncompliance to this new rule should be, which is up to the payment card companies to enforce.
"As for enforcement of the new requirement, that is up to the card payment brands as the Council is not responsible for compliance and/or enforcement," explained PCI Council spokesman Glenn Boyet in an e-mail. "It's the classic Texas two-step," said National Retail Federation Chief Information Officer Dave Hogan. "Merchants are frustrated. I mean you go to the credit card companies for clarification of the rules and they say go to the council. You go to the council and they say that's up to the credit card companies." The ambiguity puts retailers in limbo.
Typically, they are afraid to speak ill of PCI standards for fear of reprisals from credit card giants such as Visa and Mastercard, according to the National Retail Association. Hogan, a vocal critic of all of the current standards, would like to see retailers fully absolved of the responsibility of storing cardholder data on their systems, arguing that if retailers don't store it, hackers can't steal it.
To illustrate just how much the standards aren't working, Hogan pointed to the recent mass hack of grocery chain Hannaford Bros. in March. "You look at Hannaford [hack] and they were compliant, so what does all this really mean," Hogan said. "There seems to be a clear inconsistency in the rules."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
"
IT Audit Checklist: Payment Card Industry (PCI)
Posted by boss on Saturday, 19 January 2008 @ 13:48:26 EST (6249 reads)
Topic PCI DSS Standard
cdupuis writes "
IT Audit Checklist: Payment Card Industry (PCI)
Advice on assessing the robustness of PCI controls, recommendations for avoiding common PCI compliance failures, and information on ensuring continual improvement of IT security efforts.
Includes 54 specific checklist items.
Download
(requires brief registration for non-members) "
Great list of links related to the PCI DSS standard
Posted by boss on Tuesday, 13 March 2007 @ 16:43:31 EDT (7377 reads)
Topic PCI DSS Standard
Anonymous writes " Below you have a copy of an email sent by my friend Dan Swanson who has been a long term contributor to the CCCure web site and he is one of the best to find information on the net.
SearchSecurity.com: Compliance, March 07, 2007
_________________________________________________
Table of contents:
-- PCI compliance after the TJX data breach
-- Are you following the PCI Data Security Standard?
-- Compliance School is now in session
-- Has PCI version 1.1 made compliance any easier?
-- Leading resource summaries - PCI, Information Security, and Auditing Security
HEADLINES -------------------------------------------------------------------- PCI COMPLIANCE AFTER THE TJX DATA BREACHThe massive TJX data breach has reinforced the need for stricter controls when handling credit card information. In this tip, Joel Dubin reexamines the need for the PCI Data Security Standard and advises how to ease the PCI compliance burden. http://go.techtarget.com/r/1088715/4842737
Attend Email Security School
At SearchSecurity.com's Email Security School you'll learn tactics for securing your email systems. Each of the three lessons consists of a webcast, technical paper and quiz created by our guest instructor, Dr. Joel M. Snyder, technical editor of Information Security magazine.
ARE YOU FOLLOWING THE PCI DATA SECURITY STANDARD?If your organization processes, stores or transmits credit card holder information, be sure you are making the right compliance decisions. In this exclusive live webcast, FTI Consulting's national strategic security practice leader, Roger Nebel, reviews the PCI Data Security Standard and explains how to follow each of the 12 mandates. http://go.techtarget.com/r/1088717/4842737 COMPLIANCE SCHOOL IS NOW IN SESSIONEven if your enterprise has established IT control standards and uses proper frameworks to assist with logging, auditing and reporting, there is still more work to do. In this newly launched Compliance School lesson, instructor Richard Mackey reveals how to take your organization's compliance program to the next level. http://go.techtarget.com/r/1088719/4842737 HAS PCI VERSION 1.1 MADE COMPLIANCE ANY EASIER?
Complying with the Payment Card Industry Data Security Standard and its ambiguous requirements and deadlines can be a daunting process. Fortunately, to help companies along, the industry recently released a new version of the PCI standard. In this tip, Mike Chapple reviews how the original standard has changed since its 2004 release, and how those changes will affect compliance and business processes. http://go.techtarget.com/r/1088721/4842737
Click on Read More... below for the whole list of links and more info
"
New LinkedIn Compliance Group has been formed
Posted by boss on Sunday, 28 January 2007 @ 16:44:44 EST (20039 reads)
Topic PCI DSS Standard
cdupuis writes " 
PCI Compliance Group Invitation (LinkedIn)
The PCI Compliance Group at LinkedIn has been formed to enable payment card industry professionals to network and assist each other outside of public forums.
As a member of the PCI Compliance Group, you can:
° Reach out and establish contact with other PCI professionals
° Know more than a name - View rich professional profiles of fellow group members
° Discuss interpretations of PCI Data Security Standards
° Learn how members address compensating controls and scoping
° Discover new resources to aid in PCI compliance
° Accelerate your career through member referrals
Join the PCI Compliance Group at LinkedIn
https://www.linkedin.com/e/gis/2342/5254C44B9AF6
If you are not already a LinkedIn member, you will be able to join from this link. In either case, your application will be submitted to the group administrator for validation. This group is managed actively and closely, to ensure that the privileges are respected. Just if you believe the group is not being used for its stated intent.
Find Others in LinkedIn
In order to find other PCI compliance members on LinkedIn, you can take advantage of the PCI compliance Group in the "Your Groups" section of your LinkedIn home page.
You can refine your search further within just the other PCI compliance Group members.
What is LinkedIn?
LinkedIn is the leading professional network tool online, used by over 9 million professionals worldwide. It is essentially a combination of "six degrees of separation" and "the devil you know". L
inkedIn users have the ability to hide their e-mail address and post endorsements for each other. It takes about five minutes to set up a profile. From there, search for friends and former coworkers. There are currently over 9 million LinkedIn users. The link below provides great advice for establishing a profile.
http://blog.guykawasaki.com/2007/01/linkedin_profil.html
"
Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data
Posted by boss on Thursday, 14 December 2006 @ 00:05:40 EST (1655 reads)
Topic PCI DSS Standard
cdupuis writes "First Payment Brand to Combine Financial Incentives and Fines to Encourage Adoption of Industry Security Standards
SAN FRANCISCO – December 12, 2006 – Visa USA today announced it will offer $20 million in financial incentives and create new sanctions in an effort to further merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The new effort, called the Visa PCI Compliance Acceleration Program (PCI CAP), is the first of its kind to provide positive reinforcement to the industry's traditional, fine-only approach. Visa PCI CAP represents one component of Visa's comprehensive strategy to address payment card fraud. "Locking down cardholder data is an important security component that will benefit financial institutions and merchants, and is equally important to maintain consumer trust in Visa," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA. "By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce." The program targets the acquirers responsible for the largest 1,200 merchants – known as Level 1 and 2 merchants – that each process more than one million Visa transactions a year and combined account for approximately two-thirds of Visa's U.S. transaction volume. The initiative's goal is to eradicate the storage of full-track data, CVV2 and PIN data, and grow PCI compliance among this group of merchants. Visa reports current PCI compliance among Level 1 merchants at 36 percent and 15 percent among Level 2 merchants, with the majority in both levels actively working toward compliance.
Incentives for PCI Compliance
Visa is investing up to $20 million in an incentive fund payable to the acquiring financial institutions of the largest U.S. merchants who have already or will validate PCI compliance by August 31, 2007, and have not been involved in a data compromise. In addition, Visa will link the benefits of tiered interchange rates to PCI compliance, creating an additional security incentive for acquirers of large merchants. To qualify for an incentive payment, acquirers of Level 1 and 2 merchants who have validated full compliance with the PCI DSS by March 31, 2007 will be eligible to receive a one-time payment for each qualifying merchant. Acquirers whose Level 1 and 2 merchants validate compliance after March 31, 2007 and prior to August 31, 2007 will be eligible to receive a reduced one-time payment for each qualifying merchant. Acquirers will also be required to validate Level 1 and 2 merchant compliance with PIN security standards. Specifically, merchants must not use payment devices, such as PIN pads, that are known to be vulnerable to compromise and that merchants use unique encryption keys for every device. Additionally, acquirers must demonstrate the establishment of a comprehensive compliance program for Level 3 and 4 merchants. Effective October 1, 2007, acquirers whose transactions qualify for lower interchange rates available in the Visa and Interlink tiers must ensure that the merchants generating the transactions are PCI compliant in order to receive this benefit. Acquirers are encouraged to use the incentives to fund merchant security compliance programs.
Fines for PCI Compliance and Data Storage
Visa's PCI CAP will build on the company's current enforcement efforts, which include acquirer fines for data compromises involving merchants of any size. Fines are also assessed on acquirers that have failed to confirm that full track data is not retained or that did not provide a PCI compliance plan for their Level 1 merchants by September 30, 2006. In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million. This new program sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants. Additionally, Visa is adding new fines to acquirers whose Level 2 merchant customers retain full-track data, CVV2 or PIN data after the transaction authorization. Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.
See full press release at:
http://usa.visa.com/about_visa/press_resources/news/press_releases/nr353.html
"
The PCI DSS security standard version 1.1 was release today
Posted by boss on Thursday, 07 September 2006 @ 18:00:08 EDT (2071 reads)
Topic PCI DSS Standard
cdupuis writes "New Independent Organization to Develop and Maintain Security Standards
WAKEFIELD, Mass. Sept. 7, 2006
American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International today jointly announced the formation of an independent council designed to manage the ongoing evolution of the Payment Card Industry (PCI) Data Security Standard, which focuses on improving payment account security throughout the transaction process.
The founding of the PCI Security Standards Council, LLC, marks a significant milestone in the payment industry's efforts to secure payment account data in a globally consistent manner. Ultimately this means that more than a billion global payment card users will benefit from a higher level of security protection against data theft and fraud.
"The payment brands that founded the Council are committed to ensuring the ongoing development of data security standards that are both efficient and effective," said Seana Pitt, chairperson, PCI Security Standards Council.
"The creation of this Council is a significant step forward in protecting cardholder information and it underscores the critical nature of this effort." By establishing the independent Council to manage the PCI Data Security Standard for the payments industry, the founding members are developing a system that is more accessible and efficient for all stakeholders including merchants, processors, point-of-sale (POS) vendors and financial institutions.
Specifically, the PCI Security Standards Council will:
- Develop and maintain a global, industry-wide technical data security standard for the protection of accountholder account information;
- Reduce costs and lead times for Data Security Standard implementation and compliance by establishing common technical standards and audit procedures for use by all payment brands;
- Provide a list of globally available, qualified security solution providers via its Web site to help the industry achieve compliance;
- Lead training, education, and a streamlined process for certifying Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), providing a single source of approval recognized by all five founding members; and
- Provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of data security standards.
"Ensuring the security of electronic payments is of paramount importance to all stakeholders, not just the payment brands," continued Pitt. To that end, the PCI Security Standards Council invites all parties with a role to play in securing payment account data - including merchants, payment devices and services vendors, processors, financial institution and others - to participate in the new organization.
Participating organizations will be able to recommend changes, provide input on future initiatives, have access to and the ability to comment on drafts of potential changes to security standards in advance, as well as influence the organization's overall direction. In addition, participating organizations will be able to elect or serve as a member of the PCI Security Standards Council's Board of Advisors.
The PCI Security Standards Council will serve as an advisory group and manage the underlying PCI security standards, and each payment card brand will remain responsible for its own compliance programs.
As its first action, the PCI Security Standards Council also announced today the PCI Data Security Standard version 1.1. The new standard addresses evolving security threats and recommends that merchants and vendors take action to fortify application and network level security. It provides a framework for ongoing PCI compliance.
For more detailed information on PCI DSS 1.1, the Council's organizational structure and how to join, please click here.
About PCI Security Standards Council
The mission of the PCI Security Standards Council is to enhance payment account security by fostering broad adoption of PCI security standards. For more information, please click here.
You can get a copy of the September 2006 revision at:
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
or further information contact:
Text 100 for PCI Security Standards Council
212-871-4083
pci@text100.com "
PCI DSS Vendor Scanner Certification - The saga is ongoing
Posted by boss on Wednesday, 06 September 2006 @ 08:13:38 EDT (2190 reads)
Topic PCI DSS Standard
cdupuis writes "NOTE FROM CLEMENT:
This is another post extracted from my friend James Deluccia blog on PCI DSS. It is a follow up to the previous message posted below this one. It seems the requirement are being decrased while the threat has nowhere decrease. You can visit Jame's blog at: http://pcidss.wordpress.com/tag/pci-dss/ to read more about this subject.
Friday, August 25th, 2006 There have been several discussions around the cooler and the web on what it takes to become a MasterCard assessor under PCI DSS. The folks that undertake this journey must climb to mountains of standards and requirements. Having steered a mid-sized company through this process I will share the basic hurdles and requirements. In addition I will address some of the recent criticism, and hope that others will add their experiences to the discussion. To become a MasterCard Assessor a company must travel to the MasterCard SDP website and review the documents. Once all the legal jazz is complete, a monetary contribution is required. These amounts can be attributed to many internal costs at MasterCard (maintaining the program, the site, the assessor testing platforms, communication, legal fees for reviewing dozens of contracts), but my favorite (hypothesized) reason is to keep the unsophisticated companies out of the list. By keeping those smallest shops, MasterCard and VISA are able to require at least a modicum of an established professional organization for those that wish to conduct these services. So, once the dues are paid the assessor (under MasterCard) is given a target environment to audit. The assessor is expected to treat this engagement as one of the hundreds they will perform for their clients. The intent here is to validate the assessor’s competence in delivering these services, and completeness in meeting the requirements of PCI DSS. From experience however, there have been reports of companies assigning their leading penetration testers on the task, and then switching to their automated systems once they are certified. Assuming the organization does pass the test they are granted a certification number, and must provide this on every report they deliver. Having gone through this certification I can vouch that a simple Nessus scan will not qualify a vendor. Anyone have different experiences? We had to establish an automated system that merged a Nessus scan with a Retina scan w/ SPI and THEN had a real person evaluate the results and do some final validation for the client facing report. From there the accredited assessor now can market and attract clients under the PCI DSS umbrella. They may deliver a single quarter or lock in the client for many years. The greatest responsibility the assessor has is ensuring the client is providing ALL the applicable IP addresses that are to be audited. This is critical because if they do not provide them all or the assessor does not adequately discover the total assets - the contract has been breached. As a result, the client is non-compliant and susceptible to a false sense of security and hacking attacks (which then hit the consumers wallet). In addition, the assessor is liable for the shoddy work that was delivered based on the terms of the contract. The assessor’s risk is very high and at the mercy of the client in this case. So there are some good and bad points from the point of view of the client and the auditor. A few tips (it is not all doom and gloom - it IS Friday after all): Client (Merchant-Service Provider required to be compliant): - Qualify the assessors before signing a multi-year contract (as the client you have a duty to evaluate the parties that are conducting this work) Remember: long-term contracts are cheaper $$, but may cause complacency - Lowest bid is not the best. You want to Optimize and not Maximize (Optimize the value through service and quality, while not maximizing or reaching burdensome control validations) - Fully evaluate your environment and identify all external entry points (this should include partners, service providers, vendors, holding companies, etc…) - Once the due diligence is complete on the entire external environment, determine where the card holder data passes and then be sure these are provided to the assessor. - Maintain control over the environment. As the environments change, grow, merge, and divest new in-scope IP addresses will exist. It is critical to ensure a central repository of up to date IP addresses are maintained.
Assessor: - Conduct independent diligence on the client and identify all the IP address blocks the organization and its affiliates possess. This can easily be done with online WHOIS services - Provide client with exploratory questionnaire (are they using third parties?) to fully determine the possible external points in-scope - Have client certify that the final list (including the discovered IP addresses) are owned, in-scope, and may be audited - Encourage transparency in the process (the intent of PCI DSS is to improve the security and not operate a black box service). The client will be better off and your relationship will too. Overall it is the responsibility of all the parties to demand quality. Even-though some organizations may be delivering low quality work today, the communication vehicles are in place to discover these individuals. As such, those who commit fraud during their accreditation will be discovered, and are exposing themselves to heavy liabilities for those that they are “certifiying”. Happy Friday, James DeLuccia IV
PCI Mandates drop 8 of OWASP Top 10
Posted by boss on Wednesday, 06 September 2006 @ 07:59:07 EDT (6819 reads)
Topic PCI DSS Standard
cdupuis writes "by James DeLuccia IV
MasterCard announced last week that the web application requirements for those receiving validation of external assets is being reduced.
Specifically, the requirements that listed the OWASP Top 10 as the standard has been reduced to a lesser, OWASP Top 2.
What does this mean for the industry? How does this appear to Congress as they navigate several pieces of legislation on protecting this type of information?
First off, a little background on validation and PCI DSS:
In order to process credit cards an organization must agree to be compliant with the PCI DSS requirements. Organizations agree to these terms in their processor operating regulations contracts. Depending on how much volume the organization manages they have to demonstrate compliance.
Compliance can mean scanning the external segments or an onsite validation from a 3rd party. The scanning portion is managed by MasterCard and they actually certify companies to become compliant assessors. In addition, MasterCard provides the standards and criteria with which these services must be conducted.
Over the past year and a few months the standard has gotten stricter and required greater diligence by the assessor. That is until a few weeks ago when MasterCard deprecated the requirements for the web application component.
Prior to this last update, companies were required to have no threats as outlined under the OWASP Top 10 categories. This listing has become the defacto standard for classifying and recognizing threats for online applications. The update eliminates all but two of the Top 10. See below:
 The change can be interpreted in two ways. First, MasterCard received a large amount of complaints that the requirement was burdensome on the auditor and auditee. Second, MasterCard feels that the other 8 requirements are best practices and not objective enough to be part of an audit.
My thoughts are that this reduction in audit requirements is not consistent with the industry’s commitment to preventing security breaches. Web application vulnerabilities constitute a tremendous amount of the serious threats to organizations, and without some form of prevention (regular quarterly audits / web assessments, or web application / intelligent firewalls / IPS) the company and the industry’s image are at risk, not to mention the client’s data.
Is it appropriate to reduce the PCI DSS standards? Are those 8 other items really that subjective? If they are, should there only be a Top 2 list? Web App assessors, PCI QDSPs, or those who receive these services – SPEAK out!
James DeLuccia
See blog at: http://pcidss.wordpress.com/2006/04/13/
"
|
|
Login
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Big Story of Today
There isn't a Biggest Story for Today, yet.
Old Articles
There isn't content right now for this block.
|
