[OWASP-Bangalore] [Owasp-Mumbai] PCI DSS and IT Security

McGovern, James F. (P+C Technology) James.McGovern at thehartford.com
Fri May 28 11:31:25 EDT 2010 

Responses inline in RED

________________________________

From: owasp-mumbai-bounces at lists.owasp.org
[mailto:owasp-mumbai-bounces at lists.owasp.org] On Behalf Of purohit singh
Sent: Friday, May 28, 2010 8:21 AM
To: owasp-delhi at lists.owasp.org; owasp-bangalore at lists.owasp.org;
Owasp-kolkata at lists.owasp.org; OWASP-Mumbai at lists.owasp.org
Subject: [Owasp-Mumbai] PCI DSS and IT Security


Dear All,
 
This is with reference to PCI DSS. Is the PCI DSS policy only restricted
to applications, systems and environments where debit card or credit
cards are used for transactions ?  YES  How about transactions involving
internet banking for retail users and corporate banking for corporates
where no credit card or debit card details are used.  If you are
referring to the usage of debit cards or other payment mechanisms, PCI
does not have a position on this. I would say that other methods will
probably encourage something similar in the future, so thinking about it
now is a good thing Also how PCI DSS policy is technically implemented.
Financial and banking organizations dont implement the PCI DSS policy in
the first step. There is lot of opposition, red-tapism to change. The
Application penetration testing is executed in one phase, the network
pen-test is done at a later stage, the web server V.A , database audit
is done randomly. So how the PCI DSS policy is executed and integrated.
Please clarify.  Each organization has their own philosophies as to
order and whether they should be done serially or concurrently. I would
focus less on this and more on ensuring that an organization has the
right software assurance practices. Are you familiar with OWASP SAMM
(www.opensamm.org <http://www.opensamm.org> ) which is the best model of
maturity to date. 
 
With regards,
Purohit Singh 
 
http://twitter.com/mcgoverntheory 
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20100528/6c3e5d80/attachment.html

More information about the OWASP-Bangalore mailing list