[Global_industry_committee] Assessing Payment Processing Services, API's and Payment Applications

Christian Heinrich christian.heinrich at owasp.org
Thu Oct 29 19:19:32 EDT 2009


Mark,

PCI PA-DSS is separate from PCI-DSS and is assessed by different type
of Qualified Security Assessor (QSA) i.e. QSA and PA-QSA.

PA-DSS is focused on the reviewing the scope of the Payment
Application API/Module/Object/Class/etc.


On Fri, Oct 30, 2009 at 10:00 AM, Mark Maxey <mmaxey at accuvant.com> wrote:
> The focus of this is actually not specifically PCI related. The focus of this is to target the actual payment processing engine itself vs focusing on protecting the data (PCI-DSS).
>
> -----Original Message-----
> From: Christian Heinrich [mailto:christian.heinrich at owasp.org]
> Sent: Thursday, October 29, 2009 6:45 PM
> To: Mark Maxey
> Cc: Global Projects Committee; Global_industry_committee
> Subject: Re: Assessing Payment Processing Services, API's and Payment Applications
>
> Mark,
>
> Can I suggest that this project's name be related to "PCI PA-DSS" to
> reflect the convention used by the PCI Security Standards Council (PCI
> SSC)?
>
> This would also assist in reducing the confusion when the OWASP
> Industry Global Committee have an opportunity to represent this
> project to the PCI SSC.
>
> On Thu, Oct 29, 2009 at 3:17 AM, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:
>> Hello Mark,
>>
>> First of all, thank you for volunteering to lead an OWASP Project.  It is
>> with volunteers like yourself that OWASP continues to succeed in making
>> application security visible.
>>
>> Second, regarding your new leadership of this project, I'd like to request
>> that you send a project roadmap - basically the high level details of where
>> you'd like to take the project.  The OWASP Global Projects Committee (GPC)
>> will look at the roadmap and provide feedback on your project:  suggesting
>> projects which are closely related, resources and contacts which may assist
>> your efforts and any other suggestions to increase your project's success.
>>
>>
>>
>> To get your project started, here are a couple of references for your
>> review:
>>
>>  - The Guidelines for OWASP Projects provide a quick overview of items key
>> to a projects success -
>> http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects,
>>
>>  - OWASP's Assessment Criteria is the metric by which projects are
>> evaluated.  There are three categories for projects: Alpha, Beta, and
>> Release.  The Assessment Criteria allows project leaders to know what
>> aspects of projects OWASP values -
>> http://www.owasp.org/index.php/Category:OWASP_Project_Assessment,
>>
>>
>>
>>  - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,
>>
>> Your project will have an OWASP wiki page to inform and promote your project
>> to the OWASP community.  To setup your project's page, please provide the
>> details below so that the GPC can establish your initial project page.  The
>> details provided will be used to complete OWASP's project template.  Feel
>> free to add any additional information to wiki page or request assistance
>> about how to add to your projects wiki page.
>>
>> Details to create your project page:
>> (0) Project Name,
>>
>> (1) Project purpose / overview,
>> (2) Project Roadmap (as mentioned above),
>> (3) Project links (if any) to external sites,
>> (4) Project License
>> (http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Licensing),
>> (5) Project Leader name,
>>
>> (6) Project Leader email address,
>> (7) Project Leader wiki account - the username (you'll need this to edit the
>> wiki),
>> (8) Project Maintainer (if any)  - name, email and wiki account (if any),
>> (9) Project Contributor(s) (if any) - name email and wiki account (if any),
>>
>> As your project reaches a point that you'd like OWASP to assist in its
>> promotion, the GPC will need the following to help spread the word about
>> your project:
>>
>>  * Conference style presentation describing the project in at least 3 slides
>> -
>> http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide-presentation-thing/
>>
>>  * Project Flyer/Pamphlet (PDF file) -
>> http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project-flyerpamphlet-thing/
>>
>> As work on your project progresses and you are ready to create a release,
>> please let the GPC know of the change in status.  The GPC can work with you
>> to get your project assessed and moved up the OWASP quality ladder from
>> Alpha to Beta to Stable.  Every release does not require an assessment -
>> feel free to email the GPC if you are unsure about your project's
>> requirements.  For examples of projects at various quality levels, please
>> see the OWASP Project page -
>> http://www.owasp.org/index.php/Category:OWASP_Project
>>
>> That is all for now - I wish you and your project great success.  Thank you
>> for supporting OWASP's mission.
>>
>> Should you have any questions or require any further information, please do
>> not hesitate to contact me.
>>
>> Many thanks, best regards,
>>
>>
>>
>> Paulo Coimbra,
>>
>> OWASP Project Manager
>>
>>
>>
>> From: Jason Li [mailto:jason.li at aspectsecurity.com]
>> Sent: quarta-feira, 28 de Outubro de 2009 15:40
>> To: Mark Maxey; jeff.williams at owasp.org
>> Cc: paulo.coimbra at owasp.org
>> Subject: RE: Submitting Content for Testing Methodology
>>
>>
>>
>> Hi Mark,
>>
>>
>>
>> Apologies that I didn't get back to you sooner but I ended up catching the
>> flu last week.
>>
>>
>>
>> I'll forward this request to Paulo Coimbra, OWASP's Project Manager.
>>
>>
>>
>> He will get you started with a project mailing list and a Wiki account so
>> you can start editing your project content page.
>>
>>
>>
>> He will also ask you for a project roadmap. The project roadmap should be a
>> summary of your vision for the project. Ideally, it includes the type of
>> information you would like to capture in your methodology, the stages of
>> progress, etc. In other words, it's an outline of your idea that's detailed
>> enough that, were you to get hit by a bus, someone could take a look at the
>> roadmap and continue your vision of the project.
>>
>>
>>
>> If you have any questions, feel free to email me at jason.li at owasp.org
>>
>>
>>
>> -Jason
>>
>>
>>
>>
>>
>> From: Mark Maxey [mailto:mmaxey at accuvant.com]
>> Sent: Monday, October 19, 2009 4:10 PM
>> To: jeff.williams at owasp.org; Jason Li
>> Subject: RE: Submitting Content for Testing Methodology
>>
>>
>>
>> Jason, what do I need to do in order to set this up.
>>
>>
>>
>> Assessing Payment Processing Services, API's and Payment Applications.
>>
>>
>>
>> The methodology will focus on the interactivity between applications and
>> payment APIs including but not limited to abuse of functionality, logic
>> flaws, cryptographic attacks, man-in-the-middle attacks and denial of
>> service attacks.
>>
>>
>>
>> For example, analyzing payment APIs will include
>>
>> ·         Testing Payment API "test" modes vs live modes.
>>
>> ·         Analyzing responses from test card numbers
>>
>> ·         Exploiting functionality -> Decline spam, exploiting open
>> processing windows (hold vs recognized revenue)
>>
>> ·         Do we need to store a payment card number to issue a credit?
>>
>> ·         Analyzing the security of the payment processing service
>>
>> o   Chargebacks vs "Credit"
>>
>> o   "Credits"
>>
>> o   Decline auditing
>>
>>
>>
>> From: Jeff Williams [mailto:jeff.williams at owasp.org]
>> Sent: Wednesday, October 07, 2009 10:50 PM
>> To: Mark Maxey; Jason Li
>> Subject: RE: Submitting Content for Testing Methodology
>>
>>
>>
>> Hi Mark,
>>
>>
>>
>> This sounds like a very useful OWASP resource.  I've copied Jason Li on the
>> Global Project Committee to help you get the project started.  Please let
>> him know if you'd like to be the lead for the project in an ongoing way or
>> if you just want to contribute some material.  Then we can figure out what
>> project this fits into or whether it should be a new one.
>>
>>
>>
>> Thank you very much for your contribution.  Please let me know if you have
>> any questions.
>>
>>
>>
>> --Jeff
>>
>>
>>
>> Jeff Williams, Chair
>>
>> The OWASP Foundation
>>
>> Work: 410-707-1487
>>
>> Main: 301-604-4882
>>
>>
>>
>> From: Mark Maxey [mailto:mmaxey at accuvant.com]
>> Sent: Wednesday, October 07, 2009 6:23 PM
>> To: owasp at owasp.org
>> Subject: Submitting Content for Testing Methodology
>>
>>
>>
>> I am working on a methodology for specifically testing payment applications.
>> I would like to submit this to the OWASP project. What process do I need to
>> follow in order to submit the content?
>>
>>
>>
>> --------------------------------------------
>>
>> Mark Maxey
>>
>> Accuvant - LABS
>>
>> Principal Consultant
>>
>> Cell: 859.948.5841
>>
>> Corp: 303.298.0600
>>
>> Fax: 207.221.1313
>>
>> http://www.accuvant.com
>>
>>
>>
>> _______________________________________________
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>
>>
>
>
>
> --
> Regards,
> Christian Heinrich - http://sn.im/cmlh_linkedin_profile
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> Speaking Schedule at http://sn.im/cmlh_speaking_schedule
>



-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule


More information about the Global_industry_committee mailing list