Now this press release effectively says that the intent of code review requirement is met by:
* Manual web application security vulnerability assessments
* Proper use of automated web application security vulnerability assessment (scanning) tools

The press release indicates that section 6.6 is satisfied by either black or white box techniques:

The first option for application code review for meeting Requirement 6.6 is now subdivided
into four alternatives designed to meet the intent of the requirement. They include:
* Manual review of application source code
* Proper use of automated source code analyzer (scanning) tools
* Manual web application security vulnerability assessments
* Proper use of automated web application security vulnerability assessment (scanning)
tools.

You’re absolutely right though – there are tons of security weaknesses that can be identified through white box testing that are impossible to test through black box techniques. Lot’s of those weaknesses have a direct impact on cardholder data. For example:
- “Does the application always encrypt cardholder data before storing it or logging it?”
- “How are the encryption algorithms implemented?”
- “Are there other interfaces to the application besides the ‘front door’?”
- “Are there are Trojans or backdoors in the code?”

And of course the list could go on for a while…

/eh

(Full Disclosure: I used to work at Foundstone, I know Vivek personally, I currently work at Ounce Labs which makes a source code analyzer, I have performed PCI assessments in the past, I have worked with Visa and others on defining PCI requirements in prior versions, and probably other conflicts of interest).