Notable changes in PCI DSS 2.0 affecting Web application security

“Clarification, additional guidance, and evolving requirements” – welcome to the new PCI standards! Hot off the press are the new PCI DSS and PA-DSS requirements which take effect January 1, 2011. So, if you work in or around Web application security, it’ll behoove you to familiarize yourself with what’s coming.
Here are the big areas that affect us:
1.    All locations and flows of cardholder data need to be identified/documented through a discovery process to ensure everything important is kept in check. I’m not sure why this fundamental principle of information risk needs to be clarified…At least there’ll be no more “accidentally” overlooking the small stuff.
2.    The scope of protection now includes virtualization. Again, it’s interesting that this needed to be called out given the reality of anything with an IP address or URL is fair game for attack. I suspect lawyers had something to do with this clarification.
3.    Payment applications must support centralized logging which aligns the PA-DSS and PCI DSS requirements. This is one of those behind-the-scenes areas of Web application security that would benefit us all if we delved deeper in to during our Web security assessments.
4.    Additional “secure coding” guidance is provided including references to SANS CWE Top 25 and CERT standards which branches out from the previous references to OWASP only. (continue reading...)