[Owasp-topten] Feedback from PCI folks

Andrew van der Stock vanderaj at owasp.org
Mon Feb 5 10:11:20 EST 2007

Hi there,

Please check out this post.


"Andrew, I don¹t know if the PCI technical committee is looking to add
input, but rather solicit and perhaps adopt the new T10 into their audit

The goal of the OWASP T10 in requirement 6.5 of the PCI DSS is to test
applications for each attack method prior to introducing an application into
a production environment. This means the company or audit team should be
able to assess the application, with relative ease, against the T10.

One problem with the currently used T10 list is the following:
* Some of the requirements appear to be redundant (i.e. unvalidated input
and XSS attacks)
* Denial of service attacksŠ everyone asks, ³how do you test for this?²

The current T10 list is more technical that any before, or at least appears
so. This makes it harder for the QSA auditors to understand, who then ask
more questions of the card brands/associations, which they cannot directly
answer. Although the T10 list may be more technically reflective of the
current state of web-based attacks, it makes life harder for all involved in
PCI compliance.

I would recommend identifying the most common methods for credit card
compromise and create a T10 list for the payment services industry. I know
the HoneyNet group is working on such a list, and the card brands have a
list from previous compromises.

I recall OWASP was working on a PCI related project called ³PCI Web Security
Standards². I can¹t find this on the OWASP website. Where did it go?

I would recommend creating a project such as that to make it easier for all
participants in the payment services industry."

More information about the Owasp-topten mailing list