Which requirements I am oblige to fulfil as self assessment part , as web-developer for eCommerce application. I have lots of SAQ,s (self-assessment-questionnaires) as part of PCI DSS.
What should be scope of concern throughout the development life-cycle.
- Development
- Testing
- Deployment
- Any other aspect you might think ?
Is there any open source tool to support this process (assessment and tracking) etc ?
Only an QSA can give you an official answer but I can give you some ideas.
How is the web app being used? This will help determine your scope:
- Is it only for your own use? The best scenario is to use an iFrame or full page direct from a PCI compliant provider (generally the payment gateway), this could be SAQ A. If you need to do a direct post (i.e. the credit card details never touch your server) then you may be able to use SAQ A-EP. If the credit card number touches your server then it's SAQ D. Aim for SAQ A it'll save you a big headache.
- Do you provide it for clients to use in their own systems where they have control over the code or servers? Take a look at PA-DSS.
- Do you offer it as a service to clients where they have no control of the system? Then you'd need SAQ D service provider.
Take a look at requirement 6 to get an idea of what is need for the SDLC.
Tools-wise there's the PCI scoping toolkit, i'm not sure that's what you're asking for though.