Notable changes in PCI DSS 2.0 affecting Web application security
Here are the big areas that affect us:
1. All locations and flows of cardholder data need to be identified/documented through a discovery process to ensure everything important is kept in check. I’m not sure why this fundamental principle of information risk needs to be clarified…At least there’ll be no more “accidentally” overlooking the small stuff.
2. The scope of protection now includes virtualization. Again, it’s interesting that this needed to be called out given the reality of anything with an IP address or URL is fair game for attack. I suspect lawyers had something to do with this clarification.
3. Payment applications must support centralized logging which aligns the PA-DSS and PCI DSS requirements. This is one of those behind-the-scenes areas of Web application security that would benefit us all if we delved deeper in to during our Web security assessments.
4. Additional “secure coding” guidance is provided including references to SANS CWE Top 25 and CERT standards which branches out from the previous references to OWASP only. I think this is a good approach as not everyone uses or relies on OWASP. Heck, at least half of the developers, QA professionals, IT managers and internal auditors I speak with have never even heard of OWASP anyway. It’s good to see a broader set of industry standards will be acceptable.
5. Finally, perhaps most importantly, there’s new guidance on taking a risk-based approach to the security assessment process. This includes preventing common coding flaws introduced during the SDLC that lead to “High” risk vulnerabilities. So, no more spreading fear and uncertainty on issues like cross-site request forgery (CSRF), parameter manipulation and so on which, looking at the big picture, might not matter in the context of your specific business environment.
The PCI Security Standards Council is playing these changes down as nothing new but I think they’re significant. Not only does version 2.0 of PCI DSS and PA-DSS help clear up some otherwise foggy issues from the version 1.2 days, it actually provides covered entities more power and control to use some common sense – something we need a lot more of when it comes to information security.
I’m not a big fan of the PCI Security Standards Council and the approach they’re taking with PCI compliance but kudos to them for making these revisions to the regulations – which, by the way, are now on a three year development cycle instead of it being every two years. Imagine the money that could be saved and efforts that could be limited if similar government regulations were continually updated. Okay, so the HITECH Act provided clarification and teeth for HIPAA but that’s the exception rather than the rule. It’s interesting insight into private industry versus government approaches to privacy and security regulation nonetheless.
In the end, no matter how much government agencies and industry bodies want to effect change in the marketplace through their regulations, odds are we’ll continue to see more of the same. More flaws, more attacks and more data breaches. There can be an unlimited amount of PCI-type regulations around the world but there’s still no fix for stupid security choices. I suspect Web vulnerabilities will live on…but I’m not complaining.