Well there is nothing like an updated specification that drives action or interest in a topic. We're seeing that with the introduction of PCI 3.0. While there are several key updates to the specification, the one I find most interesting reflects the reality of how applications are constructed today - from components. It's great to see this baked into the latest PCI specification and related specifications like OWASP.
In some ways, the PCI specification already had this covered - PCI 2.0 required that organizations develop and maintain secure systems and applications. Since applications are comprised primarily of components, using secure components is the only way to comply with PCI.
The 3.0 specification version makes the component requirement more explicit - starting with basic identification of what you have. Version 3.0 expands the specification by requiring organizations to maintain an inventory of system components as a way to ensure proper compliance coverage.
The 3.0 specification reiterates that current best practices be used as defined by OWASP, SANS, and others. Of particular interest is OWASP A9, which focuses on eliminating vulnerable components. A9 requires that you identify components inure, monitor public databases for vulnerabilities and requires you to establish security policies that governs component use.
For more information on PCI 3.0 and the OWASP Top 10, check out our resource section. We have a new PCI whitepaper, and an upcoming webinar that addresses how Crosskey uses Sonatype to address PCI compliance.
And here's a list of recent articles that have been published about PCI:
- The history of the PCI DSS standard: A visual timeline
- 5 things you need to know about new Payment Card Industry (PCI 3.0) standard
- PCI 3.0 special report: Reviewing the state of payment card compliance
- PCI DSS version 3.0: The five most important changes for merchants
- Payment card industry gets updated security standard with new requirements
Let me know if you run across other good resources - and join us for our upcoming webinar on Wednesday, December 4, 2013 3:00PM EST.