Update 07.14.207: As a result of this post a good discussion has emerged over at PCI Compliance Demystified. I clarified my points in a blog comment over there and duplicated the content here as well (see below).
I’ve posted often about PCI with a particular interest in, “what web application vulnerabilities are ASVs required to identify?” For merchants and ASVs alike this is a very important question. For a website to pass PCI, what depth of testing is sufficient for an ASV to pass their entrance exam? Is the bar low enough for a network scanner or will something comprehensive be necessary? The answer to which benchmarks PCIs level of security assurance for merchants and the rest of the industry.
More than a year ago MasterCard informed the ASVs that they’d drop of 8 of the OWASP Top 10 for the scanning requirements. Leaving only Cross-Site Scripting (XSS) and SQL Injection. Then in a seeming contradictory statement they said, “...there are no plans to make any of the PCI Data Security Standard requirements less robust. Any future enhancements to the standard are intended to foster broad compliance without compromising the underlying security requirements of the current standard." Left in confusion, we didn’t know what to believe, so we waited for the answer.
Recently I looked up the newest PCI 1.1 documents and in the Technical and Operational Requirements for ASVs, it looks like we have the answer. On page 10 it says the following:
Custom Web Application Check
The ASV scanning solution must be able to detect the following application vulnerabilities and configuration issues:
• Unvalidated parameters which lead to SQL injection attacks
• Cross-site scripting (XSS) flaws
How about that! PCI only requires 2 out of the OWASP Top 10 remain, 2 out of the 24 classes of according to the WASC Web Security Threat Classification, and absolutely no mention that the scanner has to be logged in during the scan. Great. So “technically”, the PCI standard itself has NOT been watered down, that much remains the same. What has been lowered is web application security PCI compliance enforcement, which is down to virtually nothing.
My concern is merchants will be getting a clean bill of security health and never informed that their websites are very likely riddled with unreported vulnerabilities that weren’t even tested for. XSS and SQL Injection too! I understand and appreciate the business challenges of cost/performance for the PCI Council to consider, but come on, this sets of very dangerous precedence. Scans conducted like this will do NOTHING to make a website more secure or thwart anyone from finding that one vulnerability they need for exploitation.
Oh well, I guess the bright side is we have our answer and things could be improved upon later. How much later?