PCI DSS 2.0: Anton Chuvakin, PCI compliance expert, on what 2.0 means


by VPNHaus | 11/09/2010 |Uncategorized


VPN Haus talks again to PCI compliance expert Anton Chuvakin about the latest updates to PCI DSS 2.0, issued late last month.

VPN Haus: Why do you think Requirement 6.5 on secure web application development is no longer tied to <a href="http://www.owasp.org/index.php/Main_Page">OWASP</a>? Is secure web application development even possible?

Anton Chuvakin: I noticed that the new standard has used general terms in place of some specific terms ("authorized person" vs "management", etc) - I see this as simply one of such cases. There are other approaches to secure application dev (which are jus

VPN Haus: Do you think the Council was explicit enough in its requirements for two-factor authentication by outright requiring two different methods of authentication? I've heard people say too many protocols were passing for two-factor that weren't before.

Chuvakin: Correct, I've met people - ok, not people,  idiots - who claimed that "username is one factor, password is another, so TWO factors." My impression is that Council made the new guidance more "idiot-proof" by clarifying what they mean by two-facto

VPN HausShould the Council have gone as far as certifying certain technologies that qualify as two-factor authentication? V2.0 just gives examples, like token or smart card and biotmetric data, but stops short of certifying technologies.

Chuvakin: Examples are just fine, and hopefully it will help stamp out the more blatant abuses of this guidance. Personally, even the old guidance was clear enough, but this is even better in regards to two-factor [authentication].

Next week we continue our conversation with Chuvakin on PCI DSS 2.0. See previous interviews VPN Haus did with Chuvakin on PCI compliance here and here.

This website uses cookies

We use cookies to personalize content and analyze access to our website. You can find further information in our data protection policy.