If you are looking for advice on how to conduct a scope process for your web applications in order to become PCI-DSS compliant, PCI toolkit can help you understand how to determine if a web application falls under the scope and also it provides you guidance on how to test. Additional it points you to OWASP guidelines that your organization can use in order to achieve compliance
Very easy. Make a list of all your web applications.Then, download the PCI toolkit file.
On the Release folder you will find the OwaspPciToolkit.exe file. Double Click and this should open a Windows form app like this:
Once you have double clicked the executable file, the application will open like this:
At the top there is some key information that you need to fill in about the web application to be analyze like Name of the application, Programming language, Type o application. Keep in mind that the analysis done using the tool is PER WEB APPLICATION. Therefore the report produced by the Toolkit is per area (Card holder data, Development, Testing)
All questions are relevant. But the main question that determines if the application falls under the PCI scope, is this one.
These questions are not the same as the Self Assessment questionnaires you can find on the PCI council website. The questions are targeted to identify if the web application contains CardHolder Data and the tip buttons are testing tips on how to actually verify that your answers are correct. The first question is: Does the application store, transmits or process card holder data. In order to be able to answer such a complex question, you need to find out if the application does or does not one of the above mentioned actions(process,store, transmits). There are some ways to find out this:
-Ask the developer (but he can lie)
-Do a testing audit by evaluating the source code
Because the report can produce both answers at the same time. Basically, we want you to explore both answers at once
Once you have clicked the answers (corresponding to the application) Press 'Analyze CHD' button
This will produce a report in text file format. The output file report can be found at the same release folder: