[Owasp-standards] RE: New OWASP project - PCI Web Security Standards

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Wed Dec 21 01:32:41 EST 2005

Hi all,

I fully agree with Justin.

Afte careful review of strawman draft, pls note my feedback/suggestions:

For Requirement 5: [I think below points will be good to have]
A password should use at least one numeric character and one alphabetic character. The password should have as many different characters as possible. Character variety is almost as important as password length. Lower- and upper-case letters, numbers, and other characters (!"?;%:?*()_+/@#$%...) may be used. 

Examples of weak passwords: pass123, password123, Tom, 92-42-5720242 

Example of a strong password: qj at 5^a2k  

It is recommended that users not re-use any of their previous four passwords, whether or not permitted by the system.

For requirement 10:
NOTE: PCI v1.0, Requirement 10.7, states: “An audit history usually covers a period of at least one year, with a minimum of three months available online.”

Care should be taken to not record sensitive information in application audit logs. For instance, access to a cardholder account should ensure that part of the account number is encrypted or scrubbed. The goal is to retain enough information to reconstruct access events without creating an exposure by recording too much information in the audit logs.

Ahmed Shahzad Awan

More information about the Owasp-standards mailing list