Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Updated Standards Part 2 - PCI DSS/PA DSS - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated Standards Part 2 - PCI DSS/PA DSS
Last week the PCI Security Standards Council released the next versions of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS), version v3.0.  The standards are updated over a three year cycle and are valid from the date of release.  The previous version can still be used for certifcation until 31 December 2014 giving companies plenty of time to adjust to the new requirements.  
 
The changes are mostly clarifications of the current requirements. A few have been combined and moved, but there really are no earth shattering changes.  
 
Unlike ISO 27001 there is a document of changes for each of the standards. These are available on the council's web site (www.pcisecuritystandards.org).  One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that explains why the requirement is important.  In early 2014 the reporting requirements should be available which will provide insight as to what documentation and evidence needs to be available when facing an assessment. 
 
Mark H - Shearwater
Mark

392 Posts
ISC Handler
So, if the NSA or a criminal organization is sniffing the private fiber links between your datacenters, you are still PCI compliant even though customer information including credit cards is being stolen because the data is in transit and the links are private.
jbmoore

11 Posts
One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that "explains why the requirement is important. "
Hhmmm, a reason for doing something(i.e. why it is important). What a novel idea ! ;-)
jbmoore
20 Posts
"NSA or a criminal organization"--isn't that redundant? I'm thinking of having a T-shirt made that says:
NSA Cloud Backup Services
"we have your data anyway, why not enjoy it?"
John

88 Posts

Sign Up for Free or Log In to start participating in the conversation!