Overall I concur with Bruce on this. PCI has too broad of a constituent base to cover to be truly effective. Some fixes were added after the TJX breach, but look at how much TJX paid versus how much the laid aside to pay. I am betting that the TJX lawyers produced documents showing that they were PCI compliant, and that Visa had accepted the annual findings. In the end TJX was able to claim that they were not negligent because they were PCI compliant. While PCI 1.1 points to OWASP for in house developed web applications, where are the standards for 'PCI Approved' vendor development? How secure is the development process at the middleware vendor that is part of that web app, how good are the standards those organizations use and are held to?
I think until there is an industry wide generally accepts, and pushed, standard for integrating secure development into the SDLC we will see band aid approaches like the updated PCI. Andy _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________