Last Thursday brought the second whole version of the Payment Card Industry’s Data Security Standard. On their newly updated site, the council makes the new version available, accompanied by three updated documents: summary of changes, navigating the DSS, and the glossary.
So what has this new incarnation brought us? Honestly, not as much as most had hoped. Then again, it’s not as much as some feared. Not to say there are things of which to be aware. While most .0 release versions are major updates, this iteration was named thusly in order to bring it in line with the new three year lifecycle. I decided to sum up what I feel are the five biggest updates with a little bit of commentary (don’t forget that others might be doing this as well):
- Discovery – QSAs reading this will be very familiar with said process. At the beginning of most PCI assessments (and throughout), the on-site QSA will attempt to ensure that the scope provided by the client is accurate. They must in order to ensure their sampling is correct and that no major payment flows go unaddressed. It’s part of the drill when you must cover unlimited liability with due diligence. And many merchants and service providers have been more than willing to allow the QSA to do this leg work. Now that it’s a required portion of the scoping, why not perform this internally and save money during your assessment?
- Virtualization – Anybody actually think that we would see virtualization-centric requirements? No? Good. While the hypervisor and virtual platform receive mention, the approach currently (until the SIG publishes recommendations) is to assess virtualization with traditional best practices. This is not a bad thing. Most virtual environments are mirrors of their physical counterparts (and for the differences, well, that’s another post). Protect them as you would any other servers and follow industry guidance for hardening and configuration.
- Checkmarks – That’s to say, there’s more of them; testing procedures mostly. However, most are instantiated from the previously existing requirements. Worst case scenario, your QSA will require a bit of time during the assessment and your year over year metrics will require some tweaking (you are keeping metrics right?).
- Clarifications – There are a LOT of them. Most quality QSAs have been providing interpretations along the line of these clarifications based on security best practices and tenets. Others may have taken a more literal reading and provided an in place ruling. Validate each clarification to ensure that past decisions still uphold the requirement and intent.
- No NEW requirements – Ok, ok, not really a change. But as implied up front, this IS your parent’s DSS. Some bemoan the fact that a three year publication schedule allows new attack vectors to be introduced without a counteracting guidance. But this is the molding of the standard in order to keep it as just that, a standard. While the QSA industry is moving towards an audit approach, the Council seems to be trying it’s best to keep itself as a minimum bar with just enough detail to provoke action but not a checkmark mentality. Surely the next whole version release will be monumental, but for now, enjoy the comfortable form factor.
That’s it! Nothing too scary. There’s plenty of fine detail (so quit using WEP already)! If you are a QSA or accept cards as a merchant or service provider your mileage will vary, so take a look at the summary of changes to see how the new change impact you and yours.