PCI DSS 2.0 has landed
I’m sure most of you would have already seen this, namely a document that summarises the upcoming changes to PCI DSS and what’s going to be in Version 2.0:
Official pre-release with Participating Organizations will happen early September, with release to Merchants, Service Providers and QSAs at the end of October.
Yes, that’s right. QSA’s won’t get to see it until it’s finally published.
So what’s new?
1) 3 year lifecycle. PCI DSS v3.0 won’t be out until October 2013
2) Nothing significant, as I’ve always maintained. So go shoot those vendors who said that HSMs and DLP would be mandatory in 2010.
3) Scoping. ALL transmission, storage and processing of card data must be referenced in the report, even if the entity doesn’t want it listed.
4) A bit more flexibility around secure key management (3.6), that has always been needed
5) Risk based approach for patching (6.2), which has always been inferred but widely misunderstood. It’s up to the entity to measure risk and not the QSA.
6) PA DSS got upped to v2.0 too.
..and that’s about it. Hundreds of participating organizations have no doubt suggested a thousand things change and the Council has taken a pragmatic approach. As with the last standard releases, changes are subtle and based around clarity.
PCI DSS v2.0 and PA DSS v2.0 must be adopted by all organisations by Jan 1st 2011. Christmas peak trading period? Still wondering if the PCI SSC actually know what this is… 🙂
Any questions please fire them across and I will be happy to help.