A must (IMO) for PCI to be successful.

This post might be a duplicate post for me, but every day that I work with the PCI standard, I am more convinced that something needs to change, so I want to touch back up on it.
PCI is honestly my favorite standard in the progression of web application security out right now. Not because of the fact, that I believe that it is making an impact, but I do feel that it gives me the leverage as a consultant to force customers to secure their website.

One of the largest issues that I believe to be contained in the standard of PCI compliance, is their balance between identifying if a website or payment application is secure and the ease of use/compliance for the customer. I honestly feel that the requirements for PCI compliance are fairly minimal in verifying actual security.
Now, working at McAfee secure I should be the first one to be able to recognize that in order to have a successful standard or product, you must also make sure that your standard is obtainable. If you create a standard that is out of reach for most customers, then you will clearly have issues with generating a following that is not only able to satisfy the necessary conditions, but are willing to support the standard itself. The issue with this, is that you will soon find that you might have to make decisions about your product or standard that might not be in its best interest from a security standpoint, in order to accommodate the customer in being able to satisfy conditions to meet the standard.
Now, ask every security professional out there and they will most likely tell you the exact same answer, "There should absolutely be no accommodation's or settling, when it comes down to security". Based on this answer, I must say, that if PCI is going to be successful, they must find a way to properly verify that the payment application or website is secure, while still making the standard, an obtainable one.

I touched a little bit on this before in a previous post "who takes pci seriously" but I honestly believe that the only way that this standard is going to have a chance at being successful is to take the customization out of the customers hands. What do i mean by this?

Every e commerce site on the internet that takes Credit Card information , must have some type of payment application or shopping cart. In working with customers who come to us or end up compromised you start to notice certain common patterns. One of these common patterns that I have been able to establish, is a customer is way way way more prone to their site being compromised if they use their own custom payment application or shopping cart.

Chances are, with most custom payment applications or shopping carts, the application or shopping cart itself was not coded correctly with any type of security coding best practices, and is most likely insecure in one way or another. THIS WILL NEVER STOP. You are always going to have websites who would like a shopping cart custom tailored to their product, and they are not going to shell out the money to make sure that their custom app is coded correctly. This happens every day and for the most part, will never cease.

What does PCI need to do to head this issue off at the pass?
This type of programming will never quit, and if PCI wants to do anything about it, they need to act sooner than later. I believe that the Payment Application or shopping cart must be checked with the highest standards for security and there must not be any accommodation's in verification. One way to do this, I believe, is to make it apart of PCI's standard to state that all payment Applications must either be approved by the PCI council by going through some type of high level certification (VISA's list of validated payment applications) or the application or shopping cart must be subject to a level 1 audit.

What this will accomplish.
This should assist to eliminate all of the horribly coded shopping carts out there that look like they are apart of foundstones Hackme series containing literally every web application vulnerability that has been in current use for the last decade. Web site owners, will not just be able to hire the local web developer to create a very sophisticated shopping cart with their 3 months of development experience. There are so many approved shopping carts out there, that I feel that at least one of them would be able to accomplish the task and be customizable enough for the customer. If it is not, they obviously have a product that is unique and should have the funding to create a custom shopping cart and send it through the certification process.

In my opinion, this is a must. This to me is the only way to help verify that a payment application is secure and was written with coding best practices and security guidelines. This is also one of the only methods that I see fit, that after an initial fight, would be able to be adopted by anyone who is storing, processing, or transacting credit card information. Obviously an adjustment this large to a standard would need a grace period, but by some time before lets say the end of the world in 2012, a standard like this should be able to be adopted and carried out.

I am really interested in identifying either a better solution in improving the PCI standard or in identifying the faults in this type of modification. Any opinions would be greatly appreciated. I feel that PCI has made a huge start in helping to secure e commerce online, but it is still very far off of accomplishing its task.