PCI is a beast, and continues to blot out the sun with its harpy wings, wheeling in the desert sky, slowly waiting to pounce on the weak. Between concerns over requirement 6.6, code reviews, WAFs, and so on…where will this lead us? Let me play annoying Devil’s Advocate a bit.
Well, if you’re a web development shop, why go through all the friggin trouble? Rather than process and store any payment information, hire out to someone like PayPal. When you’re ready to check out, click the PayPal button which transfers you over to the PayPal site along with whatever transaction information you need. User logs in there, performs transaction there, and completes it there. Let the PayPal-type sites deal with PCI.
This way, every web dev shop won’t need a WAF or layers of security or code reviews. Not that I think they should all ditch such efforts, I just feel such efforts are too idealistic for our economic world. I know I’ve yet to hear a developer or developer manager who has any interest in spending effort, time, or money on an SDLC beyond what it takes to roll out product faster and with higher quality (quality not being defined in terms of security other than the most basic stuff like SSL support).
Of course, this means that while web shops won’t process your credit information or store it, they can and likely will store everything else about you. But, hey, that doesn’t fall under PCI!