The discharge of PCI DSS version 2.0 brings new requirements and changes that can have a lasting effect on those that must comply with the standard beginning January 1, 2010. Which are actionable changes for the organization?
The entire spectrum of changes is covered in 3 documents released by the PCI Security Standards Council:
1) PCI DSS Changes Summary for DSS PCI 1.2.1 to 2.0
2) PCI DSS navigates the PCI DSS: Comprehending the purpose of the necessities
3) PCI DSS Requirements and Assessment Procedures
Making use of the documents each by itself might supply your reader of the false intellect of security to PCI DSS 2.0 doesn't modify a lot from v1.2.1. Only by utilizing all 3 of those documents jointly do the complete range of clarifications, changes, and new necessities discloses themselves.
The initial class of changes is new and clarified definitions of terms. For example, the introductory paragraph of Section 9, "onsite personnel" is understood to be " temporary employees, contractors and consultants, full time and part-time employees, who are physically present about the entity's premises;" than the new definition is used in Section 9.2. There's little to no impact between v1.2.1 and v 2.0 for this change.
One particular clarified term that might have impact to operations is found in Section 2.2.2. Types of protocols, daemons or insecure services are provided, which is file share sharing, NetBIOS, FTP and Telnet. These are useful examples missing from v1.2.1. However, the necessity goes on to offer examples of how these types of services, protocols, and daemons are to be protected if they are requisite by the company: encrypted tunnel protocols like Secure FTP (S-FTP), Secure Shell (SSH), IPSec VPN or Secure Socket Layer (SSL) are to be exploit. We've a clarification that may possibly have an effect on daily operations -- the deployment of encrypted tunnel protocols among the systems via NetBIOS, Telnet and FTP, file share sharing,.
As NetBIOS and file sharing are common operations on Microsoft Windows platforms, every day operations may possibly be affected if encrypted tunnel is not already used inside the restricted Cardholder Information Environment (CDE).
PCI DSS Changes Summary for PCI DSS 1.2.1 and 2.0 provides 20 pages of changes, all with about 8 rows, few rows through a more than one change. This amounts to approximately over 200 changes. Which of those have no effect on your organization? Which changes will need updates for your existing operations? Which of these will need risk estimation to be able to fully realize, accept, and justify usage? Far more than you may feel. Which of these changes are new requirements which go into effect January 1, 2011 and which could be implemented with time? A structured overview of a PCI DSS 2.0 values with all of the company stakeholders during the similar room will present the most proficient approach to figure out which changes are actionable and who will be responsible for implementation and operation.