Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Virtualization Magazine, Telecom Innovation

Blog Feed Post

PCI DSS 2.0 is here

By Dr. Anton Chuvakin

PCI DSS defines itself as “a set of comprehensive requirements for enhancing payment account data security. “ However, in many real-world implementations of PCI DSS controls, the focus is on reducing the risk to transactions by limiting the number of systems that deal with card data. The most important concept in PCI DSS is “scope” – which means all of the  systems, applications and networks where PCI DSS controls apply. PCI DSS is currently transitioning from version 1.2.1 to version 2.0. The new version (2.0) will be enacted on January 2011 and was published last week. It will be the binding guidance for at least 3 years – until 2014 and possibly even longer since it is expected that the standard will not be updated again soon.

PCI 2.0

According to PCI DSS 2.0 documentation, released by the PCI Council, PCI DSS 2.0 includes minor changes, clarifications, and minor additional requirements as well as eliminate some redundancy in requirements.

Specifically, PCI DSS 2.0 covers such things as

  • “Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment”
  • “Update requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization”
  • “Provide clarification on secure boundaries between internet and card holder data environment”
  • “Update requirement to allow vulnerabilities to be ranked and prioritized according to risk”
  • “Update requirement to allow business justification for copy, move, and storage of card data during remote access”
  • and a few minor items.

It is interesting to note that the sister standard, PA-DSS, will now have an additional logging requirement for closer alignment with PCI DSS

  • “sub-requirement for payment applications to support centralized logging, in alignment with PCI DSS requirement 10.5.3”.

To celebrate the release of 2.0 we’ve created a new PCI resource page that I’d encourage you to visit.

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.