This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Summit 2011 Working Sessions/Session080

Revision as of 20:39, 19 January 2011 by Mchalmers (talk | contribs)

Jump to: navigation, search

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. owasp.jpg Should OWASP work directly with PCI-DSS?
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
Short Work Session Description Has the time come for OWASP to be much more proactive with PCI-DSS?

Jeremiah Grossman in his 'Open letter to OWASP' blog post:
"...5) Directly get involved with the PCI-DSS
PCI-DSS, despite whatever you think of it, does drive people to OWASP, but often under negative circumstances. Adoption of the OWASP Ten Top is not something e-commerce merchants necessarily want to do, but are forced to and no one likes to be forced to do “security.” As has been said privately to me, “What is OWASP except a bunch of crap I have to deal with for PCI?” This is the unfortunate net effect on attitudes. Merchants are incentivized to do the least application security they can get away with and NOT apply the Top Ten in the spirit of its intent. Either way, this makes OWASP look bad because the outcomes are indeed, bad. Of course PCI-DSS’s usage of the Top Ten in this manner was not something OWASP ever asked for, but here we are just the same.

Perhaps I’m not the first to say it, but this misuse has gone on long enough. If the PCI Council insists on using OWASP materials as an application security standard, which could be mutually beneficial, a good one must made available. Something clear, concise, and specifically designed for the risk tolerance of their credit card merchants. I believe this is what the OWASP PCI Project was meant to accomplish, but the status appears inactive. Fortunately there’s time to rekindle the effort as my understanding is the next revision to PCI-DSS is at least a year or two off. Done right, this could have a profound impact on a large segment of the Internet who currently get hacked all the time -- compliant or otherwise...."

Related Projects (if any)

Email Contacts & Roles Chair

Operational Manager
Mailing list

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time

Discussion Model
participants and attendees

Projector, whiteboards, markers, Internet connectivity, power

Proposed by Working Group Approved by OWASP Board

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.


After the Board Meeting - fill in here.


After the Board Meeting - fill in here.


After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

Name Company Notes & reason for participating, issues to be discussed/addressed
Matthew Chalmers @