[Global_industry_committee] Assessing Payment Processing Services, API's and Payment Applications

Christian Heinrich christian.heinrich at owasp.org
Thu Oct 29 22:32:16 EDT 2009


I don't disagree with your related comments about the lack of depth to
PA-DSS based on the critical analysis that Darren Skidmore and I
presented at OWASP Australia 2009.

Hence, the Industry Committee could suggest these improvements to the PCI SSC.

On 10/30/09, Mark Maxey <mmaxey at accuvant.com> wrote:
> I understand this however the big focus of this is actually abusing the
> functionality of the API (for example generating a large number of charge
> backs to a merchant) vs what PA-DSS covers. I have no issue rolling this
> under a heading as it is all related, but some of this is unrelated to what
> is covered by each of those standards.
> -----Original Message-----
> From: Christian Heinrich [mailto:christian.heinrich at owasp.org]
> Sent: Thursday, October 29, 2009 7:20 PM
> To: Mark Maxey
> Cc: Global Projects Committee; Global_industry_committee
> Subject: Re: Assessing Payment Processing Services, API's and Payment
> Applications
> Mark,
> PCI PA-DSS is separate from PCI-DSS and is assessed by different type
> of Qualified Security Assessor (QSA) i.e. QSA and PA-QSA.
> PA-DSS is focused on the reviewing the scope of the Payment
> Application API/Module/Object/Class/etc.

Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule

More information about the Global_industry_committee mailing list