PCI DSS 2.0: Anton Chuvakin, PCI compliance expert, on what 2.0 means
VPN Haus: Why do you think Requirement 6.5 on secure web application development is no longer tied to <a href="http://www.owasp.org/index.php/Main_Page">OWASP</a>? Is secure web application development even possible?
Anton Chuvakin: I noticed that the new standard has used general terms in place of some specific terms ("authorized person" vs "management", etc) - I see this as simply one of such cases. There are other approaches to secure application dev (which are jus
VPN Haus: Do you think the Council was explicit enough in its requirements for two-factor authentication by outright requiring two different methods of authentication? I've heard people say too many protocols were passing for two-factor that weren't before.
Chuvakin: Correct, I've met people - ok, not people, idiots - who claimed that "username is one factor, password is another, so TWO factors." My impression is that Council made the new guidance more "idiot-proof" by clarifying what they mean by two-facto
VPN Haus: Should the Council have gone as far as certifying certain technologies that qualify as two-factor authentication? V2.0 just gives examples, like token or smart card and biotmetric data, but stops short of certifying technologies.