PCI council clarifies impending application rule

Share this article:
The PCI Security Standards Council has clarified two key provisions of the Payment Card Industry Data Security Standard (PCI DSS).

The clarifications cover PCI DSS requirement 11.3, which addresses penetration testing, and requirement 6.6, which addresses application code review and application firewalls.

According to the council, the industry organization that manages the PCI DSS, the information supplements are intended to guide merchants and service providers in their efforts to reach PCI DSS compliance.

Merchants and service providers should not focus too heavily on requirement 11.3, Alan Shimel, chief strategy officer at network security vendor StillSecure, told SCMagazineUS.com.

"It provides guidance for penetration testing -- guidelines for what is scanned, frequency and the like," he said, "and is more targeted to vendors of penetration scanning products."

However, requirement 6.6, is a different story.

“It's where the meat is," he said. "This brings into focus web application security."

Requirement 6.6, which takes effect June 30, gives merchants and service providers two options to ensure that input to web applications from untrusted environments is fully vetted, according to the PCI Security Standards Council. Although the requirements mandate the use of either an in-depth application code review or a web application firewall, the standard recommends deploying both techniques, Shimel said.

Organizations electing to undergo an application review have four choices. They can perform a manual review of application source code or conduct manual web application security vulnerability assessment. In addition, they can use automated source code scanning tools, or they can deploy automated web application security vulnerability assessment tools.

The second option of the new requirement obilges organizations to deploy a web application firewall between the web server and end-point devices. This is in addition to requiring standard network firewalls typically placed on an enterprise network's perimeter.

“[Organizations] should do a more fine-grained job of matching their security technologies to the amount of information they know about their applications," Jack Danahy, founder and chief technology officer of Ounce Labs, a code scanning provider, told SCMagazineUS.com. "They should base their security needs according to the different types of applications they have and where the applications live within the network, and you need to test each application differently."

Meanwhile, Shimel said the rules are good news for vendors of web application firewalls.

"It's a lot easier to drop a web application firewall in front of a web server than to get code inspected,” he said. “What the scan finds is the issue. If it finds flawed code, and you have to recode stuff, and that can take time and money."
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.