PCI scoring contradiction

Risk ratings in a PCI security assessment are directly based on CVSS v2 scores, here’s an extract from CVSS v2 scoring guide:

SCORING TIP #2: When scoring a vulnerability, consider the direct impact to the target host only. For example, consider a cross-site scripting vulnerability: the impact to a user’s system could be much greater than the impact to the target host. However, this is an indirect impact. Cross-site scripting vulnerabilities should be scored with no impact to confidentiality or availability, and partial impact to integrity.

This seems to contradict the objectives of PCI which is to secure card holder data. Whether or not this requires 0wning a server is irrelevant. And with XSS you can obviously compromise card holder data without having to compromise any servers. Go figure.

• 
  

• About

  Secure and robust software doesn’t have to be an utopian ideal. By treating security as a first class business requirement during the initial design, implementation and testing phases, software can be secure by default.

• Recently Written

  • How to install Arachni on Mac OS X Lion
  • ORM validation
  • HTTP Fingerprinting tool
  • Security Gap Analysis of Struts2
  • PCI scoring contradiction
  • Digg like security news site
  • Seam Remoting’s default allow
  • Integrating security into QA testing
  • Security Testing with Watij
  • Defining security requirements

• Categories

  • Design
  • frameworks
  • News
  • Testing
  • Uncategorized

• Archives

  • January 2012
  • November 2009
  • May 2009
  • April 2009
  • September 2008
  • February 2008
  • January 2008

• Blogroll

  • Adam Boulton’s blog
  • Build Security In
  • Corsaire
  • OWASP
  • Security Pundit
  • Test Driven

• Admin

  • Register
  • Log in