[Owasp-standards] Introduction

owasp-standards-admin at lists.sourceforge.net owasp-standards-admin at lists.sourceforge.net
Thu Jan 5 22:33:38 EST 2006


Welcome to the group! I am sure we can gain a lot from your experience with
the payment card industry.

To answer your question: Yes this standards document is focussed on web
application. The motivation behind this standards was the requirement of
OWASP compliance in PCI quarterly scans. PCI wants web based payment
applications to be OWASP compliant, but there were no details of what this
could mean and what to look for when certifying compliance.

Hence this project is to develop a formal standard that e-commerce web
applications can be checked against. We do not intend to cover non-web
applications under it, as PCI already has a standard/best practices document
for it

- Vivek

On 1/5/06, owasp-standards-admin at lists.sourceforge.net <
owasp-standards-admin at lists.sourceforge.net> wrote:
>  Hello,
> I just joined the list and wanted to say hello, and introduce myself.  I
> have 6+ years of application development experience as it relates to payment
> processing at a smaller 3rd party processor, issuer, acquirer and
> settlement processor.  I've been involved with a gambit of projects: Data
> processing, Internal and External integrations,  Ecommerce gateways,
> Terminal development, PC application integration, stored value systems, both
> on Microsoft and Linux/UNIX platforms in various languages and connectivity
> options. And have experiences a few PCI and other types of audits from "both
> sides of the table."
> I have not really read the archives or drilled down into the "Strawman"
> Doc, but wanted to ask if this document it "Web application" specific ? or
> would provide guidance to applications that handle cardholder data in
> general.  I'm thinking about Payment Terminals, and custom applications on
>  Hypercom, verifones, etc. PC application integration, shopping carts,
>  real-time and batch processing, POS systems.  Many of these are not web
> specific but with broadband are leveraging a web based transport (HTTPS), or
> have web based interfaces and hooks into these systems or their data, and
> may not be explicitly web apps, but have and leverage characteristics of.
> I just wanted to verify the "scope" and see if any of these other types of
> applications while not particularly web applications, are related for PCI
> application development, and perhaps some clarification of how this project
> relates to the existing OWASP Guide, especially  the *Handling e-Commerce
> Payments *section
> I hope to add some insight into the group wherever I can, and read the
> archives and strawman where I might be able to answer my own questions J
> Regards,
> David Bergert
> Supervisor, Technology Risk Management Services
> RSM McGladrey, Inc.
> 201 North Harrison Street, Suite. 300
> Davenport, IA 52801
> Office: 563-888-4023
> Mobile: 563-650-6006
> Fax: 563-324-6939
> david.bergert at rsmi.com
> www.rsmmcgladrey.com
> This e-mail is only intended for the person(s) to whom it is addressed and
> may contain confidential information. Unless stated to the contrary, any
> opinions or comments are personal to the writer and do not represent the
> official view of the company. If you have received this e-mail in error,
> please notify us immediately by reply e-mail and then delete this message
> from your system. Please do not copy it or use it for any purposes, or
> disclose its contents to any other person. Thank you for your cooperation.
> Any advice contained in this email (including any attachments unless
> expressly stated otherwise) is not intended or written to be used, and
> cannot be used, for purposes of avoiding tax penalties that may be imposed
> on any taxpayer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-standards/attachments/20060105/9693e040/attachment.html 

More information about the Owasp-standards mailing list