PCI confusion.do they inspect code?

Forum Moderators: buckworks

Message Too Old, No Replies

PCI confusion.do they inspect code?

AffiliateDreamer

5:42 pm on Mar 12, 2008 (gmt 0)

Hi,

I am trying to get setup with Moneris (I'm in Canada) and they want a PCI compliance.

HackerSafe has a PCI compliance service where they charge $149, but it seems to be an external scan they do and some quesitionaaire.

Is that all that is required? Isn't a source code analysis required?

DamonHD

6:11 pm on Mar 12, 2008 (gmt 0)

When I was doing PCI compliance for a system that I was responsible for, there was no code inspection that I knew of.

Frankly I don't see how a code inspection could help in practice: very few people could spot something bad, and there'd be a lot of stuff to check.

They care more about correct process and security, rightly IMHO.

Rgds

Damon

Jack_Hughes

1:23 pm on Mar 13, 2008 (gmt 0)

May depend on the level of PCI compliance you need to adhere to. Certainly at level 4 you don't need to have a code inspection.

rocknbil

8:38 pm on Mar 14, 2008 (gmt 0)

I'm no expert in this area, but I would *think* a PCI audit would be a waste of time without a code review.

Requirement 6: Develop and maintain secure systems and applications....
Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.

Documentation [pcicomplianceguide.org]

Also if a scan reveals a vulnerability on any level, they won't even have to see your code to know it has vulnerabilities:

In order to be PCI DSS compliant, or compliant with any card brand program, a scan must not contain any vulnerability concerning features or configurations that are a PCI DSS violation.

Documentation [pcicomplianceguide.org]