PCI Security Standards Council General Manager Bob Russo said merchants can expect the next revision to the Payment Card Industry Data Security Standard in September.
"I can't really tell you if it's going to be a rev, or a new version number. In my mind, it doesn't really matter if it's a 1.2 or a 2.0; anything that gets changed is something you've got to address," Russo said. "It won't be anything too drastic. It will be based on input we've gotten over the last year and a half from all of our stakeholders."
Russo said some of the areas that will be tweaked or clarified will be around wireless implementations, application security and pre-authorization.
Russo is attending RSA Conference 2008, where thousands of IT security professionals have gathered this week. PCI and compliance issues are among top concerns of conference attendees.
Russo said that the PCI standard lives on a two-year lifecycle, and the next version comes due in September. A beta version of the standard will be released in August to the council's 500 participating organizations, as well as all of the council's qualified security assessors for feedback. They'll have 30-45 days to look it over for a "sanity check," Russo said. "It's a pretty good checks-and-balances system."
Russo said that additional guidance and clarification will be available in May for requirement 6.6, which moves from best practice to mandatory on June 30. PCI 6.6 has been the subject of some confusion for merchants trying to interpret how it's written. . The section, which falls under the main heading of developing and maintaining secure systems and applications, covers the security of Web-facing applications. As of June 30, it will mandate that Web apps be protected against known attacks by either having custom code reviewed by a third party, or by installing an application-layer firewall in front of a Web app.
"There are guidance documents coming out that will clarify a lot of this stuff before June," Russo said.
The council recently posted a new document on its site called Navigating the DSS, which goes through each of the requirements in detail, explaining the intent and how requirements can be met.
The confusion over 6.6 rests in the either-or nature of the wording.
"Personally, I'd love to see everyone go through on OWASP-based source-code review, but certainly, that's not going to happen," Russo said, referring to the expensive and time-consuming process of manual code reviews. "So the application firewall is probably the best thing to do, but there needs to be some clarification around what it needs to do. That clarification is coming; that's been the biggest question."
a lot of people have been wondering about pci-endorsed options for code review. tyler over at ncircle posted part of an update released by pci ssc yesterday that makes it a little clearer.
ReplyDeletetyler's post is here: http://blog.ncircle.com/
** SPOILER ALERT **
you can use scanners to meet 6.6
Thanks Lennykaufman.
ReplyDeleteI can't say that I am shocked by this clarification. While manual code analysis is very complete and worth the money...it cost alot.
As a pen-test, I commonly use enterprise level web application security scanners, but I have taught myself to always question their results. Just as you should always question Nessus and any other tool.
In my experience, a manual vulnerability assessment (or pen-test) just finds more vulnerabilities.
No machine can match the intelligence of the human brain. We can see relationships very easily and machines have a very hard time with connecting flows and logic.