Wednesday, October 10, 2007

PCI Compliance bothering???


When I was reading thru PCI DSS standards, something that was bothering me was the following requirement:

Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

* Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
* Installing an application layer firewall in front of web-facing applications.

This method is to be considered a best practice until June 30, 2008, after which it becomes a

My confusion was whether I had to hire someone to go a code review or penetration testing or would other means work ?? Finally I could clear this by posting it to PCI and getting the answer.

What they mentioned was :

Using specialized 3rd-party tools that perform thorough analysis of applications to detect vulnerabilities and defects may well meet the intention and objectives of the source code review requirement in PCI Data Security Standard requirement 6.6, if the company using the 3rd-party tool also has the internal expertise to understand the findings and make appropriate changes.

The PCI Security Standards Council will look to clarify this section of the standard during the next revision, to include that testing of web-facing applications can be done via source code review or products that test the application thoroughly for defects and vulnerabilities (when internal staff have the skills to use the tool and fix defects). The PCI Security Standards Council will also consider including prescriptive requirements as to what both the application firewall and application analysis tool or process should test for.


Finally, I could settle for the confusion. I need not go for a 3rd party review to go through several lines of code or do it myself. I can very well use tools like WebInspect and AMP to complete this requirement.



  1. Hi Dharmesh,

    Thanks for posting this up. This is really useful information. I was also un clear about this.


  2. Dear Dharmesh,

    This is very nice info. It never occured to me to pen down to PCI for clarifications.

  3. Has PCI recommended a list of tools for different platforms or one can choose any? There are so many development platforms are there reliable tools available for each of them. PCI should recommend a list of tools for each development platform.

  4. This comment has been removed by the author.

  5. @Raju:

    Yes, there is a list of approved scanning vendors recommended for use.