Align PCI-DSS v3.2.1 to the "Finance and Insurance" Industry #317
Comments
|
@danielcuthbert @tghosth @jmanico @m8urnett - I do not have time for this this week, but Christian does bring up a good question. If none of us has time, could we at least push this for 4.1? I'm going to re-allocate to Daniel as he's in the banking sector, but I'm happy if anyone of us looks at it and sees if it can make 4.0 |
|
@vanderaj Also the recent PCI Software Security Standard also adopted/based on the prior major release of ASVS v3 as suggested by https://twitter.com/oleggryb/status/1085613838597124096 @danielcuthbert I am willing to contribute the correlation of the PCI Software Security Standard to ASVS v4 for the next minor/major release? |
@vanderaj The above was already addressed by @danielcuthbert within #378 |
|
@cmlh is there any further effort needed here? |
|
I am willing to contribute this provided I am given credit as a PR against ASVS v4.0.2? It may also be worth considering to wait until PCI-DSS 4.0 is released in 2021?
|
|
I think a mapping of PCI-DSS v3.2.1 to ASVS v4.0.2 would still be useful |
|
There is around 18 months between the releases of ASVS 4.0.1 (March 2019) and 4.0.2 (October 2020). PCI-DSS 4.0 is planned to be released by June 2020 at the latest or within 9 months. If I integrate PCI-DSS v3.2.1 before June 2020 then will another release of ASVS be made? |
|
So from my perspective, we could issue a 4.0.3 faster if we had additional useful content. Can you describe in a little more detail what you would be preparing? Is it a simple mapping or is it more involved? |
|
@tghosth The milestone for ASVS v4.1 is planned for 30 April 2021 and would take around a day or so to modify the table cited within this issue |
|
We are pushing toward 4.1 so PR's in this are are appreciated. |
PCI-DSS v4.0 has been postponed so I'll focus on PCI-DSS v3.2.1 for the ASVS 4.1 release and then open another issue for PCI-DSS v4.0. |
|
The table within Appendix D has been removed since ASVS v3.0 PCI-DSS 3.5.1 has a brief mention within the last paragraph of page 8 within ASVS v4.0.2:
|
|
Below are the various requirements where OWASP is quoted within PCI DSS v3.2.1:
I have created the following markdown "task list" to track the PCI DSS v3.2.1 Requirements above:
|
|
We are closing this for now as we feel that adding PCI-DSS requirements into the standard is a huge amount of work and the value of doing so will eat into efforts to make the ASVS standard better. |
|
@danielcuthbert I believe the plan going forward was to fork ASVS for PCI-DSS Requirement 6.5 and the remaining [PCI-DSS Requirements] would be moved to the next minor release milestone of ASVS i.e. after ASVS 4.1 rather than take leadership at this point in time and align with the next release major 4.0 release of PCI DSS |
|
If you wish to take this on, by all means. PCI has made it clear they have a standard and aren't open to sharing unless you are a paid member. I don't see what value forking ASVS to better meet PCI-DSS requirements would give us but happy to schooled here |
|
Are you referring to https://www.pcisecuritystandards.org/get_involved/participating_organizations or something else as I've never been a member of PCI-SSC or had to pay a fee to access their documentation. I do not believe that their continued reference to the OWASP Top Ten as "the OWASP Guide" in PCI-DSS is in the interest of application security. |
|
https://blog.pcisecuritystandards.org/part-one-conceptual-differences-between-ssf-and-pa-dss should be referenced within the fork too. |
jmanico
added
_5.0 - prep
|
https://blog.pcisecuritystandards.org/countdown-to-pci-dss-v4.0 dated 25 Feb 2022
|
|
Just marking a placeholder for the release of PCI-DSS 4.0 |
Both #78 and #77 are related issues which were discussed during the 3.0 milestone.
For the next release of ASVS can the reference to PCI-DSS in Appendix D be:
The text was updated successfully, but these errors were encountered: