[Global_education_committee] FW: PCI requirement..

Nishi Kumar nishi787 at hotmail.com
Thu Apr 21 18:34:06 EDT 2011


Date: Wed, 20 Apr 2011 21:46:01 +0000
From: member at linkedin.com
To: nishi787 at hotmail.com
Subject: RE: PCI requirement..

Troy Leach has sent you a message.
Date: 4/20/2011 
Subject: RE: PCI requirement.. 
Hi Nishi, 

Sorry, I've been traveling extensively and don't check linkedin often. 

6.5.x were a reflection of OWASP Top 10 for version 1.2 however that changed for version 2.0 of our standards to identify other vulnerabilities that may have been on a Top 12-15 for OWASP, also we deviated from web-only application vulnerabilities. 6.5.x has always been examples to support the general intent of 6.5 and we fully support the effort of OWASP but wanted to reflect good work done by other bodies as well. 

For a more thorough answer, you can email my team at info at pcisecuritystandards.org. 


On 04/16/11 10:07 AM, Nishi Kumar wrote: 
Hi Troy, 

Thanks for accepting my Linked In invite. I am in the process of delivering a training session for PCI to the development group in FIS since they are going through the PCI audit in two of our business units and one question came up. May be you can help me clarify. 

PCI DSS version 1.2 and PCI DSS version 2.0 both mentions OWASP Guide for requirement 6.5.1 to 6.5.10. Do you think it means OWASP Top 10 or one of the OWASP guides? It is also unclear which guide (Development, Testing or what). If we look at version 1.2 of PCI DSS all the vulnerabilities are listed as same order as OWASP Top 10 for 2007 so I was thinking PCI means it as OWASP Top 10. 

If we look at the PCI DSS version 2.0 it has reference for OWASP Guide, SANS CWE Top 25, CERT Secure Coding all three and order is not as OWASP Top 10 for 2010. Though it is mentioned that organizations have to use the updated versions of these best practices. 

Please clarify what PCI means by "OWASP Guide"? I hope you are doing great. 

Nishi Kumar 
IT Architect Specialist 
512 632 3618 
View/reply to this message
Don't want to receive e-mail notifications? Adjust your message settings.
© 2011, LinkedIn Corporation 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20110421/5fe37971/attachment.html 

More information about the Global_education_committee mailing list