Our main application is writted in a legacy language (VB 6, EoL March, 2003). This is the CC processing platform. What are the requirements for these older languages? Is there a PCI-DSS rule that would support moving to a newer language such as .Net?
Thank you,
Dan

PCI-DSS is not concerned with the programming language used by a merchant to build a custom application for processing CC transactions.

However, the latest Ver 1.2, requires that public-facing web applications need to be screened for specific vulnerabilities by: i.) undergoing a code review; ii.) scanning the application with a manual or automated web application vulnearability scanner; or ii.) implementation of a web-application firewall to block non-essential traffic (Requirement 6.6).

Given the move to roll out browser-based applications internally, I would highly recommend that you perform code reviews on ANY browser-based application, regardless of whether or not it faces the Internet.

The reason is simple. People on the inside are even more likely to execute cross site scripting, SQL injection or other application attacks. And, in most instances, it's much easier and more successful to perform such attacks on the inside.

In regards to using the term 'legacy', if the application is not running in a browser, it is likely to not require a significant amount of code review as the application is at very low risk of compromise. However, organizations with mainframes need to be cognizant of the fact that these systems do provide IP-based services such as Telnet and SQL databases that are just as susceptible to attack as Windows and Linux. So, just because you have a mainframe, does not remove you from having to protect your systems.

Thank you for the input. We have few public facing websites and perform code review on all code changes that are made, so there is no issue there. We were mainly concerned with the fact that the code base is no longer supported by MS and there is a persistent rumor that PCI would not validate code that is no longer supported.
Thank you for the clarification.