The first bullet in 6.6 states:

"Verify that custom application code is periodically reviewed by an organization that specializes in application security;"

This seems to imply that an outside, third party is required to assess application security through a code review. However, that is not explicitly stated.

Would a Fortune 1000 organization's IT Quality Assurance organization that is independent of the development group and has qualified application security personnel meet this requirement.

I'm guessing not, but want the opinions of the group.

I am guessing that an acquiring bank would give some wiggle room here. If I were reviewing this control and you told me that your code was being reviewed by an internal group that had adequate knowledge of secure app coding, I would accept that. Like you said, it doesn't state that is has to be performed by an external entity.

Keep in mind, this needs to be actual code review; not an application scan (i.e., WebInspect or AppScan). This is handled in control 11.3.2. At least that is my interpretation of the control.

My take on 6.6 is it is basically up to me as the QSA, as to whether to come down hard or to allow in house separate department to perform it.

I base my judgement on the other requirements - as a QSA you get a feel for how much the client's company culture is pro-PCI as a security improvement or seen as strictly compliance. If they are just paying lip service on other points and PCI compliance is bolt on, then I can not see them doing a good job on their code either.

I would then use this requirement to to ensure a 3rd party is involved in the code review.

I also find with regard to the code base, that the other issues in req 6 i.e. the xss and the other injection tests and the developer's knowledge give clues as to how well written the code is. As a pentester I ask the client to try some simple tests for each point (I can send these over to any who request it) - if they fail then I push for 6.6 external review and I also take a good look at the annual app test results which for some reason missed these points. If that app test was done in house then it would not bode well for the code review being done in house either.

Of course the get out of jail for 6.6 under v1.1 is a WAF but I am not a fan.

Just my 2p worth.
Rgds
R.

Here is the clarification I received from the PCI SSC in regards to my inquiry regarding 6.6.

"An entity that has an internal "organization that specializes in application security" may meet the intent of this requirement. As a QSA, you can make that determination. Key factors we recommend you consider are whether this organization truly specializes in application security (and doesn't just dabble in it occasionally, or have people that have taken classes), whether they have extensive experience performing code reviews (and in the language needing to be reviewed), and whether this organization/department is separate from the department that developed the code (developers should not be reviewing own code)."

Here is the clarification I received from the PCI SSC in regards to my inquiry regarding 6.6.

"An entity that has an internal "organization that specializes in application security" may meet the intent of this requirement. As a QSA, you can make that determination. Key factors we recommend you consider are whether this organization truly specializes in application security (and doesn't just dabble in it occasionally, or have people that have taken classes), whether they have extensive experience performing code reviews (and in the language needing to be reviewed), and whether this organization/department is separate from the department that developed the code (developers should not be reviewing own code)."

Thanks for posting the clarification.... which raises a thought... are all the clarifications sent out by PCI SSC available anywhere in any format? Or had any third party made an attempt to collate them?

That is a recommendation that I will make at next weeks PCI Community Meeting in Toronto. I think someone needs to catalog and maintain all of the questions and clarifications issued not only by the PCI SSC, but also Visa, MasterCard and everyone else.

At the community meeting, the SSC indicated that they are assembling a FAQ area to be released in the near future onto their website. Hopefully this will become a good repository for these answers.

Jeff, there is no list of companies qualified to do this audit but the requirement is meant such that the review would be done by a competent person/group. The idea being that whoever reviews the code should have some experience behind them and not be just out of computer science 101.