PCI Standard: Who Are They Looking Out For?

September 6, 2006
Dan Cornell

I was really disappointed to see this post about the reduced application security requirements for PCI compliance.  Instead of requiring organizations to test against the full OWASP Top 10, now organizations only need to check for unvalidated input leading to SQL Injection and Cross Site Scripting (XSS) attacks.  That is pretty weak.

This change makes the standard much easier to audit against because any legitimate black box scanning tool ought to be able to find these flaws, but it makes consumer information protections much less rigorous.  Will it make applications more secure?  Yes.  Will it make applications secure?  Not even close.

I guess it isn’t terribly surprising to find large corporations making things easier for other large corporations but I had still hoped for more.  Perhaps the next go-around will result in a standard with more teeth.

–Dan

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Web Application Security

Leave a Reply

Your email address will not be published. Required fields are marked *