Category:OWASP PCI Project

Important Notice

Understanding of security vulnerabilities as explained in the OWASP top ten or SANS Top 25 is essential for using properly this scoping tool. The tool helps to identify if the application falls within the PCI-DSS scope in order to become compliant however it is essential to identify if your organization has the necessary tools and know-how to be able to create a scope

• Knowledge of the most common security vulnerabilities in Web Applications
• Knowledge of penetration tests and tools as advised by the PCI security council (ASV vendors)

Please check the guideline at: https://sourceforge.net/p/pcitoolkit/wiki/Home/

What is PCI-DSS?

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.

How does the PCI toolkit work?

The toolkit helps you identify if the application falls into the PCI-DSS scope and the necessary measures that must be taken in order to become compliant. The tool by it self does not scan your application but it guides you on the available tools, guidelines and documents related to understand much better how to properly execute the scope and test the application against security vulnerabilities

What is the purpose of this tool?

The main purposes is to offer an interactive guideline on how to determine if a web application falls into the PCI-DSS scope. The PCI-DSS requirements do not specify which guidelines , tools or how to implement the requirements, this tool helps you understand how to do it.

Volunteers

Johanna Curiel

Ignacio Salom

A prototype of the tool was released in May 2014 -Alpha version 1.0 features

• Series of Questions and answers regarding the Web application to be analyzed
• For each application present in the environment to be analyzed,
• Analysis and report of Card Holder Data present

Alpha Release 1.1 Plan for Begin November 2015 A complete remake of the Tool in Electron : http://electron.atom.io It will include:

• Analysis Report of Testing Environment process and procedures
• Reports in PDF format
• Integration with OWASP OWFT and OWASP ZAP for preliminary analysis of web application vulnerabilities

Feedback

Please email johanna[dot]curiel [at] owasp.org for feedback or submit issues at https://github.com/owaspjocur/OwaspPciToolkit/issues