[Owasp-ireland] Another PCI issue........

davidrook david.rook at realexpayments.com
Fri Apr 18 05:18:18 EDT 2008

I thought as Eoin stirred the hornets nest that is PCI DSS a few weeks 
ago I would post something on this subject as well.

PCI point 6.6 has been causing a bit of confusion around what actually 
needs to be carried out by an organisation aiming to be PCI compliant. 
Requirement 6.6:

Ensure that all web-facing applications are protected against known 
attacks by applying either of the following methods:
• Having all custom application code reviewed for common vulnerabilities 
by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing 
Note: This method is considered a best practice until June 30, 2008, 
after which it becomes a requirement.

The code review point is where a lot of the confusion came from. In an 
attempt to clear the confusion up the PCI council have announced the 

The application code review option does not necessarily require a manual 
review of source code. Keeping in mind that the objective of Requirement 
6.6 is to prevent exploitation of common vulnerabilities (such as those 
listed in Requirement 6.5), several possible solutions may be 
considered. They are dynamic and pro-active, requiring the specific 
initiation of a manual or automated process. Properly implemented, one 
or more of these four alternatives could meet the intent of Option 1 and 
provide the minimum level of protection against common web application 

1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability 
assessment (scanning) tools

But more interestingly Bob Russo (President of the PCI council) said:

"Personally, I'd love to see everyone go through on OWASP-based 
source-code review, but certainly, that's not going to happen," Russo 
said, referring to the expensive and time-consuming process of manual 
code reviews.” "So the application firewall is probably the best thing 
to do, but there needs to be some clarification around what it needs to do.”

The point of this email is to see how you guys feel this could effect an 
organisations stance on Application Security? The PCI council seemed to 
be making a good step forward with requirement 6.6 but have they now 
diminished its effectiveness by stating you are better off not doing the 
source code review and just implementing an application firewall?

David Rook | david.rook at realexpayments.com
Information Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Realex Payments, Dublin, www.realexpayments.com
Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538

Realex Payments, London, www.realexpayments.co.uk
1 Hammersmith Grove, London W6 0NB, England
Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is registered in Ireland, company number 324929.

This mail and any documents attached are classified as confidential and
are intended for use by the addressee(s) only unless otherwise
indicated. If you are not an intended recipient of this email, you must
not use, disclose, copy, distribute or retain this message or any part
of it. If you have received this email in error, please notify us
immediately and delete all copies of this email from your computer

More information about the Owasp-ireland mailing list