PCI Requirement 6.6 is meant to ensure that there are security controls in place to protect web applications that store, process, or transmit credit card data. One of Dave’s main jobs as a QSA is to ensure that organizations who process credit cards comply with the PCI DSS standard. As a Security Consultant one of Gary’s main roles is to perform web application security assessments. Gary thinks that PCI Requirement 6.6 is not a good enough standard to truly protect web application securely, but Dave believes that other controls in the standard help should help protect web applications. In this presentation Gary will review why PCI DSS 6.6 does not equal security (through discussion and demonstrations) and Dave will try and defend the PCI DSS using the controls that are required to be in place. Watch Gary and Dave battle over the ability of PCI DSS 6.6 to protect web applications.

Gary McCully: I’m a Hacker and I believe that compliance with PCI DSS 6.6 is not a good indicator that a web application is truly secure. Just like any honey badger, I will fight to prove David wrong because honey badgers just don’t care. In my years of assessing web applications I have encountered many vulnerabilities that many web application scanners are unable to detect. I have also encountered many web application firewalls that are so poorly configured that they did very little to protect the web application from attack. I am Security Consultant on the Risk Management team at SecureState, a Cleveland, Ohio based security consulting company. At SecureState, I perform vulnerability assessments, war dialing, penetration tests, physical penetration tests and web application security reviews. My research interests include the development and implementation of vulnerability management programs, lock picking, and SSL vulnerabilities.

David Sopata: I’m a QSA and I believe that the PCI DSS provides a good starting point for organizations to help secure their cardholder data (CHD). I believe that there are other controls within the PCI DSS that can help prevent some security vulnerabilities that can squeak by bad web application vulnerability assessments and poorly implemented web application firewalls. It really does not matter what Gary thinks, because he will never be compliant. I am a Senior Consultant for the Audit and Compliance group at SecureState. At SecureState I have both led and participated on dozens of engagements ranging from audit activities including SAS70(Yeah, I know SAS70 is, dead get over it! ) Now SSAE16/AT101/SOC, COBIT general controls, Sarbanes-Oxley (SOX), Payment Card Industry (PCI) Health Insurance Portability & Accountability Act (HIPAA), and ISO 27001, and Gramm-Leach-Bliley Act (GLBA) to technical assessments including vulnerability assessments, war-driving, social engineering, and physical access. Some of my interest include picking the locks to women’s chastity belts, teaching puddles how to fly, and striking fear, doom, and despair into the hearts of PCI merchants and service providers.