Starting October of this year, the new Data Security Standard (DSS) and Payment Application-Data Security Standard (PA-DSS) put out by the PCI Security Standards Council will go into effect.
First, the standards development lifecycle and feedback process has been extended to three years (from two years) starting from this October. According to PCI the additional year “provides extra opportunities for stakeholder input and feedback, a longer time period for the feedback to be submitted and more merchant friendly start date to implement, along with longer sunset periods for existing standards.”
Here is a brief rundown of the anticipated changes:
* Clarification that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module.
* Clarification that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment.
* The definition of system components has been expanded to include virtual components. Requirement 2.2.1 has been updated to clarify intent of “one primary function per server” and use of virtualization.
* There will be additional clarification on secure boundaries between internet and card holder data environment.
* There will be recognition that Issuers have a legitimate business need to store Sensitive Authentication Data.
* Clarification of processes and increased flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge.
* The requirement to allow vulnerabilities to be ranked and prioritized according to risk will be updated.
* Requirements 6.3.1 into 6.5 will be merged to eliminate redundancy for secure coding for internal and Web-facing applications.
* Requirement to allow business justification for copy, move, and storage of CHD during remote access will be updated.
* Provide further guidance on PA-DSS applicability to hardware terminals.
* Add sub-requirement for payment applications to support centralized logging, in alignment with PCI DSS requirement 10.5.3.
* Combine requirements 10 and 11 (remote update and access requirements) to remove redundancies.
No comments:
Post a Comment