Daily Archives: April 13, 2006

PCI Mandates drop 8 of OWASP Top 10, by James DeLuccia IV

MasterCard announced last week that the web application requirements for those receiving validation of external assets is being reduced. Specifically, the requirements that listed the OWASP Top 10 as the standard has been reduced to a lesser, OWASP Top 2. What does this mean for the industry? How does this appear to Congress as they navigate several pieces of legislation on protecting this type of information?

First off, a little background on validation and PCI DSS: In order to process credit cards an organization must agree to be compliant with the PCI DSS requirements. Organizations agree to these terms in their processor operating regulations contracts. Depending on how much volume the organization manages they have to demonstrate compliance. Compliance can mean scanning the external segments or an onsite validation from a 3rd party. The scanning portion is managed by MasterCard and they actually certify companies to become compliant assessors. In addition, MasterCard provides the standards and criteria with which these services must be conducted.

Over the past year and a few months the standard has gotten stricter and required greater diligence by the assessor. That is until a few weeks ago when MasterCard deprecated the requirements for the web application component.

Prior to this last update, companies were required to have no threats as outlined under the OWASP Top 10 categories. This listing has become the defacto standard for classifying and recognizing threats for online applications. The update eliminates all but two of the Top 10. See below:

mc_web_changes.png The change can be interpreted in two ways. First, MasterCard received a large amount of complaints that the requirement was burdensome on the auditor and auditee. Second, MasterCard feels that the other 8 requirements are best practices and not objective enough to be part of an audit.My thoughts are that this reduction in audit requirements is not consistent with the industry’s commitment to preventing security breaches. Web application vulnerabilities constitute a tremendous amount of the serious threats to organizations, and without some form of prevention (regular quarterly audits / web assessments, or web application / intelligent firewalls / IPS) the company and the industry’s image are at risk, not to mention the client’s data.

Is it appropriate to reduce the PCI DSS standards? Are those 8 other items really that subjective? If they are, should there only be a Top 2 list? Web App assessors, PCI QDSPs, or those who receive these services – SPEAK out!

James DeLuccia