RE: New OWASP project - PCI Web Security Standards

["Ahmed Shahzad" <websoft () wol net pk>]

Hi all,

I fully agree with Justin.

Afte careful review of strawman draft, pls note my feedback/suggestions:

For Requirement 5: [I think below points will be good to have]
A password should use at least one numeric character and one alphabetic character. The password should have as many 
different characters as possible. Character variety is almost as important as password length. Lower- and upper-case 
letters, numbers, and other characters (!"?;%:?*()_+/@#$%...) may be used. 

Examples of weak passwords: pass123, password123, Tom, 92-42-5720242 

Example of a strong password: qj@5^a2k  

It is recommended that users not re-use any of their previous four passwords, whether or not permitted by the system.

For requirement 10:
NOTE: PCI v1.0, Requirement 10.7, states: “An audit history usually covers a period of at least one year, with a 
minimum of three months available online.”

Care should be taken to not record sensitive information in application audit logs. For instance, access to a 
cardholder account should ensure that part of the account number is encrypted or scrubbed. The goal is to retain enough 
information to reconstruct access events without creating an exposure by recording too much information in the audit 
logs.

Ciao,
Ahmed Shahzad Awan