[Owasp-pci-project] About "Should OWASP work directly withPCI-DSS?" Working session
Christian Heinrich
christian.heinrich at owasp.org
Thu Mar 10 21:32:21 EST 2011
James,
On Fri, Mar 11, 2011 at 2:36 AM, James McGovern <JMcGovern at virtusa.com> wrote:
> Previous versions of the PCI spec referenced OWASP which was a positive first step. However, the biggest gap I see is that the vast majority of PCI QSA's honestly wouldn't recognize whether someone was even literate in OWASP vs those who are great storytellers. In talking with a few PCI QSA's, they did mention that in their training, they at best only spend 10 minutes on section 6...
Michael Dahn clarified this for me verbally sometime ago so the
statement below might not be exact :)
The first day of the two day QSA course is used to explain the payment
industry as a majority of the QSC (i.e. security companies) lack
experience in the payment industry.
The second day is used to briefly cover all of the 12 requirements of
PCI DSS, hence the small focus on 6.6 when you consider all of the
controls within PCI DSS in their entirety. Theoretically a QSA should
know the 12 requirements already but their technical knowledge varies
greatly in practice.
--
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh
More information about the Owasp-pci-project
mailing list