6

According to this quote from "applicability" section of PCI DSS it's not:

The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.

But does it mean that it is not applicable at all? Or just that I'm not obliged for fulfill these requirements? If I want my solution (application) to be secure (= to be recognized as secure by large enterprises), should I implement the requirements anyway, or should I invest my time to some other set of recommendations? In other words - would the PCI compliance give me some credit when selling an application that is not dealing with payment cards, or is there some other, more generic standard?

bretik
  • 1,840
  • 13
  • 22

2 Answers2

5

Some of the PCI DSS requirements may apply to your situation (in fact, it's highly likely that some of them will). However, your application will have requirements that are specific to its problem domain, and that PCI does not address: similarly, PCI will make some requirements that are irrelevant (or even counterproductive) in your domain because they are specific to the domain of the payment card industry. Remember that standards, industry practices and checklists are a useful starting point for any endeavour, but that at some time you're going to have to solve your problem.

So in answer to your question about credit: if you're selling a livestock management application as PCI compliant, I would consider myself warned that you thought cows and credit cards were the same thing in creating your security model.

  • The [OWASP Top 10](https://www.owasp.org/index.php/Top_10_2010)'s warnings echo your comments about using standards as a starting point. "you may already be vulnerable to something nobody ever thought of before", so security is an ongoing test. – Stephen Paulger Jun 21 '11 at 08:51
4

PCI compliance is a good baseline no matter what you are trying to protect. If you are talking about an environment that has sensitive data (credit card, Social Security, or other), if you treat that data as if it were cardholder data and follow the PCI DSS you will achieve a good base level of security. If you take the time to have that level of security verified by a QSA, then you will definitely have credible evidence that your environment is secure which you may present to a third party.

If you are talking specifically about an application which you have written and are going to be selling, then secure code reviews and testing by a certified third party will probably provide more benefit.

freb
  • 1,401
  • 8
  • 14