Requirement 6.6 clarification
Filed Under (PCI DSS, PCI SSC) by Michael Dahn on April-16-2008

It’s almost midnight and I’m back in my hotel room.  What a long day!  I played “booth babe” and talked with prospective clients at ETA.  Seeing that attendance appears to be down from last year, we had a large group by our booth almost the entire time.  Special thanks to the PCI SSC for having a social hour tonight, and special thanks to Discover for hosting the social mixer at the House of Blues.  Rock on!

But I did take a few short trips to attend the PCI sessions.  In these they provided clarification documents surrounding some areas of the PCI DSS.  These were handed out in paper form and will be available electronically soon.  I’m going to respect the Council’s time line and not post the content until they do so on their site, but it seems nCircle is happy to post all about it.

The answers Jeremiah Grossman’s feedback from earlier in this week.  This is a classic example of why you (1) should not believe everything you read in the papers and (2) should focus on intent and not the literal meaning of the word “code” (or any other minor nuance for that matter.)  Thank goodness they have Trey working to control the spin.

Clear? And don’t forget to read all about “web application” vs “web-facing applications”

Popularity: 29% [?]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
   Read More


Comments
Andrew van der Stock on April 18th, 2008 at 11:44 am #

Hi there,

Before clarifying the role of PCI DSS 6.6, it would be wise to touch base with NIST on their recent SATE competition. The company I work for (unrelated to OWASP) participated in SATE this year.

The early results are now in.

I believe some of these results will be discussed in June at SAW (http://samate.nist.gov/index.php/SAW), and more in October when the organizer of the SATE comparison will present at OWASP App Sec Conference ‘08 in NYC. The full public results are coming in December after an extensive process.

http://samate.nist.gov/index.php/SATE

It would definitely be worthwhile for PCI to investigate this comparison prior to making any decisions, or at least touch base with the organizer.

thanks,
Andrew

PCI Blog - Compliance Demystified » Blog Archive » Traveling to a city near you on April 19th, 2008 at 9:40 am #

[...] week at ETA, the PCI SSC released clarification documents about requirements 6.6 and 11.3.  Keep checking the PCI SSC website for the electronic copies.  I’m excited to see [...]

PCI DSS clarifies Web Application FW Requirement Sec 6.6 « Payment Card Security & IT Controls Explained on April 19th, 2008 at 1:09 pm #

[...] was a banner week in PCI DSS clarifications, interpreted confusion by third parties, and varied levels of agreement and discontent.  At this time the clarification that was distributed at this year’s ETA [...]

PCI Blog - Compliance Demystified » Blog Archive » PCI SSC Clarifies Requirements 6.6 and 11.3 on April 22nd, 2008 at 1:34 pm #

[...] you will find the PDFs that the Council released at ETA this year.  The paper copies created immediate conversation in the blogging world, but now they are available online for everyone to read and [...]

Post a comment
Name: 
Email: 
URL: 
Comments: