Updated Standards Part 2 - PCI DSS/PA DSS

Published: 2013-12-05
Last Updated: 2013-12-05 11:20:48 UTC
by Mark Hofman (Version: 1)
3 comment(s)
Last week the PCI Security Standards Council released the next versions of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS), version v3.0.  The standards are updated over a three year cycle and are valid from the date of release.  The previous version can still be used for certifcation until 31 December 2014 giving companies plenty of time to adjust to the new requirements.  
 
The changes are mostly clarifications of the current requirements. A few have been combined and moved, but there really are no earth shattering changes.  
 
Unlike ISO 27001 there is a document of changes for each of the standards. These are available on the council's web site (www.pcisecuritystandards.org).  One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that explains why the requirement is important.  In early 2014 the reporting requirements should be available which will provide insight as to what documentation and evidence needs to be available when facing an assessment. 
 
Mark H - Shearwater
Keywords:
3 comment(s)

Comments

So, if the NSA or a criminal organization is sniffing the private fiber links between your datacenters, you are still PCI compliant even though customer information including credit cards is being stolen because the data is in transit and the links are private.
One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that "explains why the requirement is important. "
Hhmmm, a reason for doing something(i.e. why it is important). What a novel idea ! ;-)
"NSA or a criminal organization"--isn't that redundant? I'm thinking of having a T-shirt made that says:
NSA Cloud Backup Services
"we have your data anyway, why not enjoy it?"

Diary Archives