Well? Will you?
We’re waiting!??
Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6.
In this clarification, The Council declared the intent of the code review component to include “Manual web application security vulnerability assessment” and “Proper use of automated web application security vulnerability assessment (scanning) tools.” So essentially if you are getting something like VeriSign’s Premium Vulnerability Management Service, you meet this requirement. You could also count your penetration test as long as the application has not changed since that penetration test was performed, and it covers the entire application with manual interaction. VeriSign’s Penetration Testing services DO cover this.
There will be some merchants that do not meet the requirement; but those merchants have likely been doing just the bare minimum, or “Managing Checkmarks,” as opposed to building a sound security infrastructure and fitting compliance inside it. Merchants doing that are probably not fully compliant on any given day anyway.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?