PCI Practice Manager, Comsec Consulting

The PCI Data Security Standard (DSS) has a three-year lifecycle, over the course of which the PCI Standard Security Council (SSC) follows technological developments, and gathers input and requests from QSAs and QSA certified organizations, for the purpose of updating the PCI DSS. Until now, the PCI DSS version in use has been version 1.2 which was released in October 2008. Therefore, at the end of October 2010, PCI DSS version 2.0 was released by the PCI SSC.

As a QSA who has led numerous PCI certification processes, I chose to hold a round-table yesterday in Israel for leading enterprises required to comply with the PCI standard, in order to present and highlight the significant differences between the versions and assist these organizations with the adaptation to and preparation for the new requirements. Version 2.0 will be valid from January 2011, however organizations already in process with version 1.2 will be able to continue certification with this version until the end of 2011.

The new PCI DSS version will delve into and provide:

• Clarifications regarding Cardholder Data (CHD) environment scoping.
• Guidelines regarding virtualization with an emphasis on hardening procedures and configurations.
• Further details on DMZs, namely separation of organizational and internet networks.
• Guidelines for organizations that issue credit cards regarding the storage of Sensitive Authorization Data (SAD).
• Increased flexibility regarding cryptographic key management with regards to change management procedures and dual control.
• Increased flexibility that enables the implementation of a risk management program as an alternative to critical patch installation in the short-term, according to requirement 6.1, that requires that critical patches be installed within one month from their release.
• Recognition of other other leading international standards, such as CWE and CERT for the purpose of Security Code Review. In addition, version 2.0 requires an application security expert’s involvement in processes of security code review, in addition to an automated tool.
• Increased flexibility with regards to the saving, storing, and consequent deletion of CHD with remote access upon business need only; until now, according to requirement 12.3.10 it has been prohibited to save CHD locally in any circumstance.