PCI council clarifies impending application rule

Share this article:
The PCI Security Standards Council has clarified two key provisions of the Payment Card Industry Data Security Standard (PCI DSS).

The clarifications cover PCI DSS requirement 11.3, which addresses penetration testing, and requirement 6.6, which addresses application code review and application firewalls.

According to the council, the industry organization that manages the PCI DSS, the information supplements are intended to guide merchants and service providers in their efforts to reach PCI DSS compliance.

Merchants and service providers should not focus too heavily on requirement 11.3, Alan Shimel, chief strategy officer at network security vendor StillSecure, told SCMagazineUS.com.

"It provides guidance for penetration testing -- guidelines for what is scanned, frequency and the like," he said, "and is more targeted to vendors of penetration scanning products."

However, requirement 6.6, is a different story.

“It's where the meat is," he said. "This brings into focus web application security."

Requirement 6.6, which takes effect June 30, gives merchants and service providers two options to ensure that input to web applications from untrusted environments is fully vetted, according to the PCI Security Standards Council. Although the requirements mandate the use of either an in-depth application code review or a web application firewall, the standard recommends deploying both techniques, Shimel said.

Organizations electing to undergo an application review have four choices. They can perform a manual review of application source code or conduct manual web application security vulnerability assessment. In addition, they can use automated source code scanning tools, or they can deploy automated web application security vulnerability assessment tools.

The second option of the new requirement obilges organizations to deploy a web application firewall between the web server and end-point devices. This is in addition to requiring standard network firewalls typically placed on an enterprise network's perimeter.

“[Organizations] should do a more fine-grained job of matching their security technologies to the amount of information they know about their applications," Jack Danahy, founder and chief technology officer of Ounce Labs, a code scanning provider, told SCMagazineUS.com. "They should base their security needs according to the different types of applications they have and where the applications live within the network, and you need to test each application differently."

Meanwhile, Shimel said the rules are good news for vendors of web application firewalls.

"It's a lot easier to drop a web application firewall in front of a web server than to get code inspected,” he said. “What the scan finds is the issue. If it finds flawed code, and you have to recode stuff, and that can take time and money."
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.