I was really disappointed to see this post about the reduced application security requirements for PCI compliance. Instead of requiring organizations to test against the full OWASP Top 10, now organizations only need to check for unvalidated input leading to SQL Injection and Cross Site Scripting (XSS) attacks. That is pretty weak.
This change makes the standard much easier to audit against because any legitimate black box scanning tool ought to be able to find these flaws, but it makes consumer information protections much less rigorous. Will it make applications more secure? Yes. Will it make applications secure? Not even close.
I guess it isn’t terribly surprising to find large corporations making things easier for other large corporations but I had still hoped for more. Perhaps the next go-around will result in a standard with more teeth.
–Dan
