PCI Updates

I thought i would take a few minutes to wish everyone happy holidays and a very prosperous 2011. I also noticed that I hadn’t blogged in a while so I thought I do a little of that…

This blog provides a few updates and observations related to the following:

  • PCI DSS v1.2.1 to PCI DSS v2.0 transition – very well defined, except for the cut-over date. The bottom line is that the PCI SSC is encouraging all merchants and service providers to convert as soon as possible, but at the same time saying everyone has until New Years Eve 2011 (one year).
  • PCI DSS and PA-DSS v2.0 Scoring Templates – QSAs can’t plan their projects without the new Scoring Templates. This will stall migrations.
  • Sampling And ASV Scanning Do Not Mix – this wasn’t a like a free lunch but some still manage to screw it up…
  • PCI DSS Timeline ClarificationYes, there have been a few challenges in the PCI Security Standards Council’s communications regarding the very well planned transition from PCI DSS v1.2.1 to PCI DSS v2.0. The evolution process for replacing one DSS version with another was very robustly defined – basically the process takes two years and undergoes four distinct phases. However, sunsetting version v1.2.1 has been met with a few challenges because there was not a clear date defined for when everyone is supposed to move from the old version to the new version. I think that once people get through this version migration, the process will improve further and future subsequent transitions will be much smoother. Also, since the PCI SSC has stated that everyone has the entire calendar year of 2011 to convert from v1.2.1 to v2.0, I expect that all fellow QSAs will get a lot of push back from clients who wish to argue the weak cut-over statement.

    The PCI Security Standards Council apparently got the message that they didn’t do such a very good job of communicating the sunset date for the PCI DSS v1.2.1 and the commencement date for PCI DSS v2.0. As a result, they issued a clarification in the PCI QSA newsletter for November 2010. To quote the Council:

    Entities needing to comply with the PCI DSS are strongly encouraged to begin using the new standard immediately. However, version 1.2.1 will remain effective until December 31st, 2011 to allow everyone time to adopt any changes they may need to in order to maintain their PCI DSS compliance. This means that organizations assessing and reporting compliance during 2011 may validate to either version 1.2.1 or 2.0. However, the Council urges all organizations to complete their transition to the new standard as quickly as possible, especially where any new controls may enhance the protection of cardholder data.

    PCI DSS and PA-DSS v2.0 Scoring Templates

    Since QSAs do not have the DSS v2.0 scoring template and won’t until sometime in late January 2011, it makes planning and performing any assessments difficult until the new scoring templates are issued. The earliest I can see any legitimately performed v2.0 assessments getting started is probably in March/April 2011. It sure would have been nice to have the templates a bit earlier, but better late than never.

    Expiration Of PABP v1.4 Extended 90 Days

    The PABP v1.4 standard that was supposed to expire on December 2, 2010, however, the expiry was extended until March 2, 2011. To quote the Council:

    This updated deadline recognizes the challenges many merchants and Payment Application end users have in implementing system changes over the busy holiday period, and allows the Payment Application vendor community to consider submitting new versions of their products for assessment against the new PA-DSS 2.0 standard.

    The Council is committed to reviewing all submissions for the updated versions of expiring PABP v1.4 applications, and this new March 2nd 2011 deadline will allow the review process to be completed before previous versions of these applications expire. This extension will also provide more time for PA-QSAs to complete reviews of those Payment Applications that are currently in process. Finally, this extension will allow Payment Application vendors, should they choose to hold off on assessment of expiring Payment Applications and instead submit (after January 1st, 2011) their Payment Applications for assessment against the new PA-DSS v2.0 standard.

    Sampling And ASV Scanning Do Not Mix

    While sampling of devices is allowed under the PCI DSS, it is NOT ALLOWED for ASV scans. Sampling is only allowed for DSS audit validation testing. I’ve talked to dozens of clients who have been “informed” by their previous QSA or security consultants that it is “OK to use a sample of internet accessible systems” for ASV scanning. NOPE, NOPE, NOPE… Come on QSAs, get it right or stop advising your customers. To quote the Council:

    Within a given quarter, all Internet accessible systems must pass an ASV scan. It is not necessary that they all be scanned at the same time, but they all must be scanned quarterly.

    This is probably one of the most clear defined requirements inside in the PCI DSS, yet it seems silly that some people still don’t understand that 1 + 2 = 10 🙂

    Bottom line here is that you MUST scan ALL of the devices and systems at your business that face the Internet.

     

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply