MasterCard announced last week that the web application requirements for those receiving validation of external assets is being reduced. Specifically, the requirements that listed the OWASP Top 10 as the standard has been reduced to a lesser, OWASP Top 2. What does this mean for the industry? How does this appear to Congress as they navigate several pieces of legislation on protecting this type of information?
First off, a little background on validation and PCI DSS: In order to process credit cards an organization must agree to be compliant with the PCI DSS requirements. Organizations agree to these terms in their processor operating regulations contracts. Depending on how much volume the organization manages they have to demonstrate compliance. Compliance can mean scanning the external segments or an onsite validation from a 3rd party. The scanning portion is managed by MasterCard and they actually certify companies to become compliant assessors. In addition, MasterCard provides the standards and criteria with which these services must be conducted.
Over the past year and a few months the standard has gotten stricter and required greater diligence by the assessor. That is until a few weeks ago when MasterCard deprecated the requirements for the web application component.
Prior to this last update, companies were required to have no threats as outlined under the OWASP Top 10 categories. This listing has become the defacto standard for classifying and recognizing threats for online applications. The update eliminates all but two of the Top 10. See below:
The change can be interpreted in two ways. First, MasterCard received a large amount of complaints that the requirement was burdensome on the auditor and auditee. Second, MasterCard feels that the other 8 requirements are best practices and not objective enough to be part of an audit.My thoughts are that this reduction in audit requirements is not consistent with the industry’s commitment to preventing security breaches. Web application vulnerabilities constitute a tremendous amount of the serious threats to organizations, and without some form of prevention (regular quarterly audits / web assessments, or web application / intelligent firewalls / IPS) the company and the industry’s image are at risk, not to mention the client’s data.
Is it appropriate to reduce the PCI DSS standards? Are those 8 other items really that subjective? If they are, should there only be a Top 2 list? Web App assessors, PCI QDSPs, or those who receive these services – SPEAK out!
James DeLuccia
Technology, Strategy, and Cybersecurity - explored, explained, and examined 
And they say our industry is dumbing down?
No THEY should not reduce the PCI standard. We are in this mess as hardly any secure development is being done and by doing this your allowing the sloppy development cycle to continue and the end looser is the customer and not the million dollar companies who allow it to happen.
Im shocked and saddened that Mastercard/VISA have adopted this approach. It totally sums up their attitude to this weak standard and it’s my opinion it will fail
Daniel
OWASP
This is really unfortunate because it essentially reduces the PCI requirements to the point that organizations only need to check for the two most common technical flaws in applications. In order for applications to be PCI compliant organizations really only need to run a scanner and get a relatively clean bill of health.
This does make the PCI standard more _auditable_ because testing can largely be automated, but it makes consumers significantly less secure. Decisions like this only serve to further the “scan it and declare it secure” mentality that is so damaging to real software security.
–Dan
Pingback: The McMillen Group, LLC » Blog Archives » PCI Mandates drop 8 of OWASP Top 10
Inc Research ReportOn May 29, 2013, Bristol-Myers Squibb Company
Research ReportOn June 12, 2013, Merck & Co. They would also be able to store data security compliance a huge volume of patient data.
Keryx Biopharmaceuticals data security compliance Inc Research
ReportOn May 29, 2013, Keryx Biopharmaceuticals, Inc.