PCI DSS 2.0: Anton Chuvakin, PCI compliance expert, on what 2.0 means

Posted: November 9, 2010 in Uncategorized

VPN Haus talks again to PCI compliance expert Anton Chuvakin about the latest updates to PCI DSS 2.0, issued late last month.

VPN Haus: Why do you think Requirement 6.5 on secure web application development is no longer tied to OWASP? Is secure web application development even possible?

Anton Chuvakin: I noticed that the new standard has used general terms in place of some specific terms (“authorized person” vs “management”, etc) – I see this as simply one of such cases. There are other approaches to secure application dev (which are just as good, supposedly) and OWASP is just one example they give and not “the god given way” to do application security. Secure web dev sure is possible, but just awfully unpopular :-). PCI is expected to make it more popular in the future.

VPN Haus: Do you think the Council was explicit enough in its requirements for two-factor authentication by outright requiring two different methods of authentication? I’ve heard people say too many protocols were passing for two-factor that weren’t before.

Chuvakin: Correct, I’ve met people – ok, not people,  idiots – who claimed that “username is one factor, password is another, so TWO factors.” My impression is that Council made the new guidance more “idiot-proof” by clarifying what they mean by two-factor authentication.

VPN HausShould the Council have gone as far as certifying certain technologies that qualify as two-factor authentication? V2.0 just gives examples, like token or smart card and biotmetric data, but stops short of certifying technologies.

Chuvakin: Examples are just fine, and hopefully it will help stamp out the more blatant abuses of this guidance. Personally, even the old guidance was clear enough, but this is even better in regards to two-factor [authentication].

Next week we continue our conversation with Chuvakin on PCI DSS 2.0. See previous interviews VPN Haus did with Chuvakin on PCI compliance here and here.

  1. ashy1066 says:

    Identity stealing of payment card is the major problem today, PCI compliant expert i think is the best to secure the data and information of credit card security.

  2. […] PCI DSS 2.0: Anton Chuvakin, PCI compliance expert, on what 2.0 means […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s