PCI Security Standards
US Elections Calendar ~ Pervez Musharraf ~ Iftikhar Muhammad Chaudhry ~ Other International News
Home / International News / Press Releases / 2008 / April / April 23, 2008
PCI Security Standards Council Issues Latest Information Supplements to PCI Data Security Standard
RSS / Print / Comments

Top News

Karnataka High Court orders Ramoji Rao to appear in Ballari Court

Linking rivers in western India

Bats find new place to roost - bra and trousers!

Pamela Anderson set to cause commotion in Gold Coasts KFC

Sabarimala Swamy Ayyappan Temple replica comes up Pochampally

Nadals win at Wimbledon indicative of change of guard in world tennis: Becker

Brains reward chemical dopamine induces both desire and dread

Internet, alcohol making teenage girls obese

PCI Security Standards Council Issues Latest Information Supplements to PCI Data Security Standard

Wakefield, Massachusetts, United States

The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts. Both information supplements are now available on the Council's website at https://www.pcisecuritystandards.org/tech/supporting_documents.htm.

These Information Supplements are one of the Council's methods to provide clarification and guidance on the PCI DSS. The Council, in conjunction with the payment card industry and its Participating Organizations - now numbering more than 440 companies from around the globe - utilizes these Information Supplements to assist merchants and service providers to adopt PCI DSS and protect customer cardholder data.

Requirement 11.3 addresses penetration testing, which includes network and application layer testing, as well as controls and processes around the networks and applications. Such testing is invaluable to ensuring that both networks and applications are protected from outside intrusion. The Information Supplement for Requirement 11.3 provides guidance on who can perform penetration testing, what the scope of such testing entails, the frequency of such tests, preparation for these tests, testing methodology and components of testing techniques.

Requirement 6.6, which becomes effective on June 30, 2008, provides two options which are intended to address common threats to cardholder data and ensure that input to web applications from un-trusted environments is fully inspected. The Information Supplement for this requirement gives organizations clarification on implementing application code reviews (option one) and/or application firewalls (option two).

The first option for application code review for meeting Requirement 6.6 is now subdivided into four alternatives designed to meet the intent of the requirement. They include:

-- Manual review of application source code

-- Proper use of automated source code analyzer (scanning) tools

-- Manual web application security vulnerability assessments

-- Proper use of automated web application security vulnerability assessment (scanning) tools.

The second option for Requirement 6.6 is a Web Application Firewall (WAF) which is a security policy enforcement point positioned between a web application and a client end point. The Information Supplement provides recommended capabilities of a select WAF, additional recommended capabilities for certain environments, additional considerations for organizations implementing a WAF and additional sources of information on Web application security.

"The Council is continually looking to provide the clearest guidance to all in the payments chain on implementing the PCI DSS," said Bob Russo, General Manager, PCI Security Standards Council. "These periodic Information Supplements are created from the varied and critical industry feedback we continue to receive from our stakeholders and are designed to make it easier for organizations PCI DSS projects."

For More Information:

If you would like more information about the PCI Security Standards Council or would like to become a Participating Organization please visit pcisecuritystandards.org, where you can also find answers to frequently asked questions, or contact the PCI Security Standards Council at info@pcisecuritystandards.org.

About the PCI Security Standards Council

The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.

The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors and point of sale vendors are encouraged to join as Participating Organizations.

Source: Business Wire (Business Wire India)


AndhraNews.net News for April 23, 2008

Other Press Releases for April 23, 2008