Re: PCI: DSS

["Sheldon Malm" <smalm () ncircle com>]

Check out the PCI:SSC website.  They published a supplement for 6.6 that clarifies these requirements.

In short, you must either have application code assessed by someone qualified to conduct such an assessment *OR* put a 
WAF in place.  

Furthermore, source code auditing is not a *requirement*.  The PCI:SSC's supplement confirms that black box testing 
(read web app scanners) can be used to meet 6.6 if used by an individual (or individuals) qualified to do an assessment.

Among other things, this allows you to assess custom coded applications and 3rd party supplied applications (shrink 
wrap or custom) with a single tool or tool suite.  Without this supplement, a WAF would have been the only reasonable 
option for applications for which the source code was not accessible.  This is no longer the case.

While I would not necessarily discourage the use of App Layer firewalls, you do not *require* them for *PCI Compliance* 
if you are meeting the other assessment option req's for 6.6 (source code audit (automated or manual) or web app 
scanner by qualified individuals).

I hope this helps.

--------------------------
Sheldon Malm
Director 
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld


----- Original Message -----
From: listbounce () securityfocus com <listbounce () securityfocus com>
To: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Fri May 23 06:53:00 2008
Subject: PCI: DSS

 
Hi all,

Can anyone confirm for me what sort of workarounds there are concerning
PCI:DSS and application layer firewalls?

Requirement 6.6 of the standard states this:

6.6 Ensure that all web-facing applications are protected against known
attacks by applying either of
the following methods:
* Having all custom application code reviewed for common vulnerabilities
by an organization
that specializes in application security
* Installing an application layer firewall in front of web-facing
applications.
Note: This method is considered a best practice until June 30, 2008,
after which it becomes a
requirement.

We already have our custom code reviewed, but Im wondering if I
absolutely must sort out an application layer firewall or if there is a
workaround that would be acceptable for a level 1 merchant.

If there are any knowledgeable auditors (qsa etc) out there I'd really
appreciate your help on this one.

Many thanks
Pete


A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where 
personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails 
that ask for confidential, personal security information or details regarding your account status.

The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract.

The contents of this message and all attachments have been sent in confidence for the attention of the addressee only.  
If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the 
sender immediately of the error in transmission.

"sit-up ltd, registered in England No: 03877786.
Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."