If you have to comply with the Payment Card Industry Data Security Standard (PCI DSS), you’ve probably heard that the PCI Security Council will issue version 2 of the standard by the end of October. About a month ago, the Council issued a Summary of Changes document that highlights the upcoming changes. Changes become effective January 1, 2011 and fall into three categories: clarification, additional guidance and evolving requirement. Various compliance and infosec experts have already covered the topic thoroughly, but here is a quick summary of the expected changes:
- Applicability of PCI DSS and cardholder data (Intro)
- Further clarification of the DMZ (Req 1)
- Applicability of PCI DSS to issuers or issuer processor (Req 3.2)
- Key management processes (Req 3.6)
- Merge reqs 6.3.1. into 6.5 to eliminate redundancy for secure coding for internal and web-facing apps
- Remote copy, move and storage of cardholder data (Req 12.3.10)
- Ensure all locations of cardholder data are included in scope of PCI DSS assessments (scope of assessment)
- Provide guidance on virtualization (intro and various reqs)
- Apply a risk-based approach for addressing vulnerabilities (Req 6.2)
We’ll perform a complete evaluation once the final standard is made available to us, but given the nature of the changes, I anticipate that our Tripwire Enterprise and Tripwire Log Center customers will be able to swiftly satisfy the requirements of version 2. If you’re not a Tripwire customer yet, here’s how our integrated solutions can help you achieve and maintain PCI DSS compliance.
Being a Participating Organization in the PCI Council has also some very nice benefits. We get to see documents before they are made public. In fact, Tuesday afternoon we received the draft of the upcoming version 2. Unfortunately we’ve sworn confidentiality and cannot share it for the time being. What’s more, in a few days I’ll be at the PCI Community Meeting in Orlando, learning more about the upcoming changes in version 2 of the standard. I’ll share with you as much as possible, so stay tuned.
I’ll also get the opportunity to talk to some compliance experts and will be capturing their thoughts on the upcoming changes to share with you.