Back to overview

Wild card joker b

Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. Some examples are:

An undocumented installed component has a vulnerability announced. The server hosting the ecommerce application makes an unapproved connection to another system. The fully outsourced payment form template is modified to include code from the merchant's server. Personal data relating to an individual is used for a purpose the individual has not consented to. An unauthorised change to configuration data such that some component/service is no longer configured adequately. Unapproved/insecure services/applications are installed/enabled. The terms of service, or privacy statement, are modified without approval. Personal data is inadvertently mixed with business contact data. A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. For example, an ecommerce website might be eligible to assess and report under PCIDSS using Self Assessment Questionnaire (SAQ) A, but due to one of the above issues, the merchant no longer meets the eligibility requirements, and thus has to use controls in and report under the longer SAQ A-EP or full SAQ D.


What could change that affects compliance? How will the application detect this? What is the incident response process for these?

How to play?

Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates

ASVS (4.0) Cheatsheetseries Index


Loading comments 0%

Github logo View source on GitHub

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.