"Having assisted our clients payment card security compliance since 2002, we have witnessed the evolution and maturity of the standards as they grow to address a changing threat landscape. The new release is timely and pertinent," states Senior Vice President Client Services Chris Konrad.
"Following review of the new standards, it is my belief that many of our clients will be pleased with their greater clarity and increased flexibility," states Director of Client Services Joshua Lyons.
The new PCI DSS and PA-DSS standards offer improved alignment, clarifications, and guidance. While Fortrex advises merchants and service providers to carefully review Council published Summary of Changes documentation and to review the standards with their selected assessor in advance of assessment, the following PCI DSS changes are perceived as of particularly important consideration:
-- Scope of Assessment for Compliance with PCI DSS Requirements - All locations and flows of cardholder data are in scope of assessment -- Requirement 2.2.1 - Virtualization technologies are permitted with the restriction that one primary function per virtual system component be enforced -- Requirement 3.2 - Issuers are identified as allowed to store sensitive authentication data given business justification and secure storage -- Requirement 3.6.4 - Key management procedures may include periodic key changes based on industry best practice aligned cryptoperiods -- Requirement 6.5 - Version 1.2.1 requirement 6.3.1 has been consolidated into requirement 6.5 in the new release with current guidance from SANS CWE To 25, CERT Secure Coding, and the OWASP Guide provided as reference sources for industry best practice vulnerability management
For payment application vendors, the following PA-DSS changes should similarly be reviewed:
-- Scope of PA-DSS - The PA-DSS is clarified as being non-applicable to payment applications developed for and sold to a single customer for the sole use of that customer -- PCI DSS references have been removed with PCI DSS testing procedures incorporated as sub-requirements -- Requirement 4.4 - New requirement necessitating payment application facilitation of centralized logging -- Requirement 5.2.6 - New requirement addressing high-risk vulnerabilities identified in requirement 7.1 -- Requirements 10 and 11 have merged
For further information and reference, Fortrex has published its recent webinar, "PCI 2.0 Now What ??".
Version 2.0 becomes effective January 1, 2011 with previous 1.2.1 versions of the standard permitted until December 31, 2011. Further information is available via the Council's web site: www.pcisecuritystandards.org