Secure Payments, PCI DSS, Regulatory Compliance Blog

Requirement 6.6 clarification

April 16th, 2008 by admin Posted in PCI DSS, PCI SSC

It’s almost midnight and I’m back in my hotel room.  What a long day!  I played “booth babe” and talked with prospective clients at ETA.  Seeing that attendance appears to be down from last year, we had a large group by our booth almost the entire time.  Special thanks to the PCI SSC for having a social hour tonight, and special thanks to Discover for hosting the social mixer at the House of Blues.  Rock on!

But I did take a few short trips to attend the PCI sessions.  In these they provided clarification documents surrounding some areas of the PCI DSS.  These were handed out in paper form and will be available electronically soon.  I’m going to respect the Council’s time line and not post the content until they do so on their site, but it seems nCircle is happy to post all about it.

The answers Jeremiah Grossman’s feedback from earlier in this week.  This is a classic example of why you (1) should not believe everything you read in the papers and (2) should focus on intent and not the literal meaning of the word “code” (or any other minor nuance for that matter.)  Thank goodness they have Trey working to control the spin.

Clear? And don’t forget to read all about “web application” vs “web-facing applications”

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 5 Responses to “Requirement 6.6 clarification”

  2. By Andrew van der Stock on Apr 18, 2008

    Hi there,

    Before clarifying the role of PCI DSS 6.6, it would be wise to touch base with NIST on their recent SATE competition. The company I work for (unrelated to OWASP) participated in SATE this year.

    The early results are now in.

    I believe some of these results will be discussed in June at SAW (http://samate.nist.gov/index.php/SAW), and more in October when the organizer of the SATE comparison will present at OWASP App Sec Conference ‘08 in NYC. The full public results are coming in December after an extensive process.

    http://samate.nist.gov/index.php/SATE

    It would definitely be worthwhile for PCI to investigate this comparison prior to making any decisions, or at least touch base with the organizer.

    thanks,
    Andrew

  1. 4 Trackback(s)

  2. Apr 19, 2008: PCI Blog - Compliance Demystified » Blog Archive » Traveling to a city near you
  3. Apr 19, 2008: PCI DSS clarifies Web Application FW Requirement Sec 6.6 « Payment Card Security & IT Controls Explained
  4. Apr 22, 2008: PCI Blog - Compliance Demystified » Blog Archive » PCI SSC Clarifies Requirements 6.6 and 11.3
  5. Sep 13, 2008: ITSecurityBlog » PCI SCC releases supplements for requirement 6.6 and 11.3

Sorry, comments for this entry are closed at this time.