The PCI Security Standards Council has clarified two key provisions of the Payment Card Industry Data Security Standard (PCI DSS).
The clarifications cover PCI DSS requirement 11.3, which addresses penetration testing, and requirement 6.6, which addresses application code review and application firewalls.
According to the council, the industry organization that manages the PCI DSS, the information supplements are intended to guide merchants and service providers in their efforts to reach PCI DSS compliance.
Merchants and service providers should not focus too heavily on requirement 11.3, Alan Shimel, chief strategy officer at network security vendor StillSecure, told SCMagazineUS.com.
"It provides guidance for penetration testing -- guidelines for what is scanned, frequency and the like," he said, "and is more targeted to vendors of penetration scanning products."
However, requirement 6.6, is a different story.
“It's where the meat is," he said. "This brings into focus web application security."
Requirement 6.6, which takes effect June 30, gives merchants and service providers two options to ensure that input to web applications from untrusted environments is fully vetted, according to the PCI Security Standards Council. Although the requirements mandate the use of either an in-depth application code review or a web application firewall, the standard recommends deploying both techniques, Shimel said.
Organizations electing to undergo an application review have four choices. They can perform a manual review of application source code or conduct manual web application security vulnerability assessment. In addition, they can use automated source code scanning tools, or they can deploy automated web application security vulnerability assessment tools.
The second option of the new requirement obilges organizations to deploy a web application firewall between the web server and end-point devices. This is in addition to requiring standard network firewalls typically placed on an enterprise network's perimeter.
“[Organizations] should do a more fine-grained job of matching their security technologies to the amount of information they know about their applications," Jack Danahy, founder and chief technology officer of Ounce Labs, a code scanning provider, told SCMagazineUS.com. "They should base their security needs according to the different types of applications they have and where the applications live within the network, and you need to test each application differently."
Meanwhile, Shimel said the rules are good news for vendors of web application firewalls.
"It's a lot easier to drop a web application firewall in front of a web server than to get code inspected,” he said. “What the scan finds is the issue. If it finds flawed code, and you have to recode stuff, and that can take time and money."