PCI 3.0 – Secure Payment Requires Secure Components


November 14, 2013 By Derek Weeks

Well there is nothing like an updated specification that drives action or interest in a topic. We’re seeing that with the introduction of PCI 3.0. While there are several key updates to the specification, the one I find most interesting reflects the reality of how applications are constructed today – from components. It’s great to see this baked into the latest PCI specification and related specifications like OWASP.

In some ways, the PCI specification already had this covered - PCI 2.0 required that organizations develop and maintain secure systems and applications. Since applications are comprised primarily of components, using secure components is the only way to comply with PCI.

The 3.0 specification version makes the component requirement more explicit – starting with basic identification of what you have. Version 3.0  expands the specification by requiring organizations to maintain an inventory of system components as a way to ensure proper compliance coverage. 

The 3.0 specification reiterates that current best practices be used as defined by OWASP, SANS, and others. Of particular interest is OWASP A9, which focuses on eliminating vulnerable components. A9 requires that you identify components inure, monitor public databases for vulnerabilities and requires you to establish security policies that governs component use.

For more information on PCI 3.0 and the OWASP Top 10, check out our resource section. We have a new PCI whitepaper, and an upcoming webinar that addresses how Crosskey uses Sonatype to address PCI compliance.

And here’s a list of recent articles that have been published about PCI:

Let me know if you run across other good resources – and join us for our upcoming webinar on Wednesday, December 4, 2013 3:00PM EST.