PCI DSS 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS



Similar documents
Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Transitioning from PCI DSS 2.0 to 3.1

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

PCI Self-Assessment: PCI DSS 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

Payment Card Industry Compliance Overview

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

MPOS: RISK AND SECURITY

PCI PA-DSS Requirements. For hardware vendors

PCI Requirements Coverage Summary Table

Payment Card Industry (PCI) Point-to-Point Encryption

PCI Compliance Training

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

PCI Requirements Coverage Summary Table

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

How To Protect A Web Application From Attack From A Trusted Environment

Payment Card Industry (PCI) Payment Application Data Security Standard

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Credit Card Processing Overview

Qualified Integrators and Resellers (QIR) Implementation Statement

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Payment Application Data Security Standard

CardControl. Credit Card Processing 101. Overview. Contents

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Meet The Family. Payment Security Standards

North Carolina Office of the State Controller Technology Meeting

The PCI Security Standards Council. Jeremy King European Director

Becoming PCI Compliant

Adyen PCI DSS 3.0 Compliance Guide

Section 1: Assessment Information

Point-to-Point Encryption

Introduction. PCI DSS Overview

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

PCI Compliance 3.1. About Us

Continuous compliance through good governance

Payment Card Industry Data Security Standards

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

PCI Compliance Overview

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

Payment Card Industry (PCI) Data Security Standard Report on Compliance. Template for Report on Compliance for use with PCI DSS v3.0. Version 1.

A Rackspace White Paper Spring 2010

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry (PCI) Data Security Standard

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Application

Thoughts on PCI DSS 3.0. September, 2014

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Template for PFI Final Incident Report for Remote Investigations

PCI DSS READINESS AND RESPONSE

EMV mobile Point of Sale (mpos) Initial Considerations

Universal Transaction Gateway (UTG ), 4Go, and i4go are covered by

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens)

PCI Security Standards Council

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

<COMPANY> P01 - Information Security Policy

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Understanding the SAQs for PCI DSS version 3

Payment Card Industry (PCI) Data Security Standard

PCI Compliance for Cloud Applications

Transcription:

Introduction 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS This document from the PCI Security Standards Council (PCI SSC) is designed to provide a transparent runway to the introduction of the new versions of PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) targeted for release at the end of October. The purpose of the document is to share highlights of forthcoming changes to the standards in order to: Help stakeholders prepare to review and discuss the new pre-release versions of and PA-DSS at forthcoming Community Meetings in the US and Europe Prepare stakeholders to align their security programs with the updated standards Provide additional time for merchants to review and understand changes prior to implementation Publishing this document prior to release of more detailed information on the revised standards is part of the PCI SSC s ongoing commitment to providing a steady flow of information during the standards development process and eliminating any perceived surprises in the process. With that in mind, the SSC asks stakeholders to understand that the detailed summary of changes and prerelease versions of the standards will be shared with Participating Organizations in early September, prior to the North American Community Meeting taking place in Orlando on Sept 21-23. We hope Participating Organizations will join us at the Community Meeting to discuss the updates in more depth. Please note this document is for advance informational purposes only, and does not replace the current DSS, the to-be-published detailed summary of changes or new versions of the standards. The Standards Development Lifecycle and Feedback Process The PCI Security Standards Council develops security standards for the protection of payment card data in accordance with a planned lifecycle which is published on our website. The lifecycle ensures multiple opportunities for stakeholder input and feedback on standards, which is a vital part of ensuring PCI Security Standards remain ahead of the threat landscape. In June the SSC announced that in response to stakeholder feedback, the lifecycle for development of PCI Security Standards would move to a three year cycle from the previous two year cycle. This additional year provides extra opportunities for stakeholder input and feedback, a longer time period for the feedback to be submitted and more merchant friendly start date to implement, along with longer sunset periods for existing standards. Now all three PCI Standards (, PA-DSS and PTS requirements) operate on a three year lifecycle. For more information on the new lifecycle please see the following factsheets on the PCI SSC website: https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_pts.pdf

The new three year lifecycle becomes effective on publication of the revised and PA- DSS standards at the end of October. During the current revision cycle the SSC received hundreds of pieces of feedback from stakeholders around the world through the lifecycle feedback form. In addition to this formally submitted feedback the Council gathers comments through our Open Mic series, the Community Meeting discussions, input from Special Interest Groups, online FAQ portal and other industry events. In this feedback cycle more than half of the feedback submitted originated outside of the United States. Upcoming Changes to and PA-DSS Before introducing revisions to and PA-DSS the Council had to weigh many considerations including: What is best for payment security? Global applicability and local market concerns Appropriate sunset dates for other standards or requirements Cost/benefit of changes to infrastructure Cumulative impact of any changes Stakeholders will notice that the changes to 2.0 and PA-DSS 2.0 are relatively straightforward and do not introduce significant changes. This reflects the growing maturity of the standards as a strong framework for protecting cardholder data. The updated versions of PCI DSS and PA-DSS will: Provide greater clarity on & PA-DSS requirements Improve flexibility for merchants Help manage evolving risks / threats Align with changes in industry best practices

Clarify scoping and reporting Eliminate redundant sub-requirements and consolidate documentation Feedback gathered during the current cycle led to suggested changes that naturally fell into three main categories of change: : Modification that clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements : Provides further information on a particular topic to increase understanding of the intent of the requirement Evolving : outlining situation not addressed in a standard; ensures the standards are up-to-date with emerging threats and changes in the market The following highlight table provides insight into the areas of feedback and changes anticipated and where they fall in these categories. Impact Reason for Change Proposed Change Category Intro Clarify Applicability of PCI DSS and cardholder data. Clarify that s 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. Scope of Assessment Ensure all locations of cardholder data are included in scope of PCI DSS assessments Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Intro and various requirements Provide guidance on virtualization. Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of one primary function per server and use of virtualization. 1 Further clarification of the DMZ. Provide clarification on secure boundaries between internet and card holder data environment. 3.2 Clarify applicability of PCI DSS to Issuers or Issuer Processors. Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data.

Impact Reason for Change Proposed Change Category 3.6 Clarify key management processes. Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. 6.2 Apply a risk based approach for addressing vulnerabilities. Update requirement to allow vulnerabilities to be ranked and prioritized according to risk. Evolving 6.5 Merge requirements to eliminate redundancy and Expand examples of secure coding standards to include more than OWASP. Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT. 12.3.10 Clarify remote copy, move, and storage of CHD. Update requirement to allow business justification for copy, move, and storage of CHD during remote access. PA DSS General Payment Applications on Hardware Terminals. Provide further guidance on PA-DSS applicability to hardware terminals. PA-DSS 4.4 Payment applications should facilitate centralized logging. Add sub-requirement for payment applications to support centralized logging, in alignment with requirement 10.5.3. Evolving PA-DSS s 10 & 11 Merge PA-DSS s 10 and 11 Combine requirements 10 and 11 (remote update and access requirements) to remove redundancies. Conclusion The PCI Security Standards Council thanks the hundreds of companies and stakeholders that have taken the time to provide us with feedback on the PCI Security Standards. This valuable real world input ensures that the standards can continue to provide a strong security framework for the protection of cardholder data. The Council looks forward to welcoming stakeholders to our annual Community Meetings in Orlando and Barcelona and discussing the more detailed summary of changes and pre-release versions of the revised standards, which will be provided to Participating Organizations in early September. As a reminder, this document provides insight into anticipated changes to the PCI DSS and PA-DSS for advance informational purposes only, and does not replace the current DSS, the to-be-published detailed summary of changes or new versions of the standards. The planned publication date of versions 2.0 of and PA-DSS is October 28, 2010, after they

have been discussed at the Council s European Community Meeting in Barcelona. Per the new three year lifecycle, the updated standards will become effective on January 1, 2011.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information