Comments
Oleg on April 16th, 2008 at 3:27 am #
Thank you, Mike!
Jeff Hall on April 16th, 2008 at 8:32 am #
As I recall, but cannot find. The card brands through the PCI SSC further clarified 6.6 by defining that it was ALL browser-based applications that faced “untrusted” networks. They defined “untrusted” networks as any network where the assessee does not have 100% control over the operation and management of the network. Based on that definition, this would include browser-based applications that are used between business partners that do not use the Internet for communication.
wconway on April 16th, 2008 at 2:51 pm #
I know I’m speculating, but I can’t help but wonder whether with the emerging attack vectors, the next version of 6.6 will specify “ALL browser-based applications” that store, transmit, or process card data.
PCI Blog - Compliance Demystified » Blog Archive » Requirement 6.6 clarification on April 16th, 2008 at 10:59 pm #
[...] And don’t forget to read all about “web application” vs “web-facing applications” addthis_url = ‘http%3A%2F%2Fpcianswers.com%2F2008%2F04%2F16%2Frequirement-66-clarification%2F’; [...]
Evan on April 17th, 2008 at 6:21 am #
Your clarification that 6.5 is for internet AND intranet web apps appears to be in direct contradiction to the direction that Chris Marks gave in the February PCI class held on site at Visa headquarters. He said multiple times and we confirmed with him in person, that 6.5 (and 6.6) was only intended for external/internet facing web applications and not internal/intranet sites. It’s unfortunate that the PCI DSS leaves so much to interpretation and that we can’t even get consensus within the “expert” community.
Mitch on June 5th, 2008 at 3:34 pm #
I agree w/ Evan. I attended the May 2008 PCI class at Visa and was told the exact same thing by Chris. We also confirmed our understanding multiple times. Post a comment
|
|
|
|
|
||