Re: [WEB SECURITY] Cross-Site Scripting PCI Question

["T.C. Niedzialkowski" <tc@xxxxxxxxxxxxxxx>]

--Apple-Mail-18-204747114
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit

On Mar 4, 2009, at 2:03 PM, Trey Ford wrote:

> Joe,
>
> You have framed a couple of really good questions here:
>
> 1) Will a website vulnerability prevent a company from achieving PCI  
> compliance?
> Remember the difference between validation and compliance.  PCI  
> validation is what happens during the audit.  Picture the moment  
> where you hand your insurance to a police officer during a routine  
> traffic stop.  That is validation, the point in time where you are  
> verifying the proof of insurance.
>
> Compliance is maintaining that secured state all of the time, not  
> just during PCI validation.  (just having your 'proof of insurance'  
> card for a cancelled policy means you might sneak past validation,  
> but you certainly are not compliant, right?)

As an additional concern: PCI requirements can be considered a duty-of- 
care standard in tort negligence claims.  So not only do you need to  
meet them for compliance/validation, but defending yourself in a court  
of law.

Requirement 3 of the PCI DSS has already been enshrined in Minnesota's  
state law.  Many in the legal field have been waiting for more of the  
PCI DSS to start being codified at the state level.

...
T.C. Niedzialkowski
Technical Account Manager
WhiteHat Security Inc.
office: 408.343.8377 ex. 677 / cell: 408.509.8997
--Apple-Mail-18-204747114
Content-Type: text/html;
	charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><div>On Mar 4, 2009, at =
2:03 PM, Trey Ford wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
class=3D"im">Joe,<div><br></div><div>You have framed a couple of really =
good questions here:</div><div><br></div><div><span style=3D"font-weight: =
bold; "><span style=3D"text-decoration: underline; ">1) Will a website =
vulnerability prevent a company from achieving PCI =
compliance?</span></span></div> <div>Remember the difference between =
validation and compliance. &nbsp;PCI validation is what happens during =
the audit. &nbsp;Picture the moment where you hand your insurance to a =
police officer during a routine traffic stop. &nbsp;That is validation, =
the point in time where you are verifying the proof of insurance. =
&nbsp;</div> <div><br></div><div>Compliance is maintaining that secured =
state all of the time, not just during PCI validation. &nbsp;(just =
having your 'proof of insurance' card for a cancelled policy means you =
might sneak past validation, but you certainly are not compliant, =
right?)</div></div></blockquote><br></div><div>As an additional concern: =
PCI requirements can be considered a duty-of-care standard in tort =
negligence claims. &nbsp;So not only do you need to meet them for =
compliance/validation, but defending yourself in a court of =
law.</div><br><div>Requirement 3 of the PCI DSS has already been =
enshrined in Minnesota's state law. &nbsp;Many in the legal field have =
been waiting for more of the PCI DSS to start being codified at the =
state level.<br><br><div><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><div>...</div><div>T.C. =
Niedzialkowski</div><div>Technical Account Manager</div><div>WhiteHat =
Security Inc.</div><div>office: 408.343.8377 ex. 677 /&nbsp;cell: =
408.509.8997</div></div></div></div></div></div></div></div></div></body><=
/html>=

--Apple-Mail-18-204747114--