Apr 23 2008
I guess Bob Russo and the PCI Security Standards Council heard the roar of the crowds at RSA and decided to do something to help clarify the situation around standards 6.6 and 11.3. In reality, they probably had this in the work for months and may have even tried stirring things up a little at RSA to get more attention to the supplements. In either case, it’s good that they’re working on making the standards clearer and they’ll be working these updates into the next version of PCI. We’re still not sure if it’s going to be 1.2 or 2.0, but it’s coming in September.
The updates to 11.3 are relatively minor and center around clarifying what’s expected from the penetration test. The update to 6.6 explicitly spell out what the acceptable solutions are for code review:
- Manual review of source code
- Automated app source code analyzers
- Manual web app vulnerability assessment
- Automated web app vulnerability assessment
It also lays out a number of suggestions for a web application firewall, but none of these are requirements at this time. The absolute minimum on a WAF is checking for and protecting from the OWASP top 10 vulnerabilities, but if that’s all you’re getting from your WAF, you better go ask for your money back.
The updates to 11.3 are going to matter to Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) more than they are to the average company complying with PCI. On the other hand, the clarifications on 6.6 are going to be very important to everyone who’s involved in PCI as the June 30, 2008 deadline for complying with 6.6 approaches. One thing I’d like to see clarified even further is the term “proper use of” when it refers to application and source code tools; does this mean that the person using the tools needs to be certified in some way, have proof of training or just need to say they’re experienced with the tools? It’s minutia like this that gives QSAs gray hair.