Safemonk safenet
Coalfire has concerns and questions on two major areas in the new draft that we will clarify in the near future: We met several key SSC representatives that will allow us to provide direct feedback about the draft standard. PA-DSS Template Changes – There was very little content presented on the upcoming changes to the PA-DSS. There is no such thing as a “Silver Bullet” solution that eliminates all PCI DSS scope and responsibility. The SSC wants to dispel the myth that so many merchants seem to be falling prey to. Penetration testing must now validate segmentation technologiesĪvoid the Silver Bullet – We heard this phrase a lot during the SSC presentations and informal discussions with the card brands.
Our favorite is the change to the penetration testing requirements: It’s important to review and analyze these new requirements now to prepare your organization for the upcoming impact to your compliance efforts. PCI DSS 3.0 – Phase-in Requirements – There are several new requirements that will be considered best practice only until June, 2015. It’s important to note that they indicated that this will include originating web-servers for ecommerce outsourcing solutions. During one of the Open Forum sessions, we asked if this would include A/V servers, patching servers, DNS systems, etc…and the SSC confirmed yes. Most importantly the following: Systems that affect the security of the cardholder data environment should be considered as in-scope for the assessment. These clarifications were covered again during the assessor and general sessions. PCI DSS 3.0 – Scope – The SSC made some significant improvements to its intent around PCI DSS scope of validation. They are now included within the standard itself. The reporting instructions had previously been outlined in a separate document. PCI DSS 3.0 – Template Changes – New to the 3.0 release, the SSC has created a reporting template that they would like all QSA organizations to use. This is merely a section on implementation best practices for continuous PCI DSS compliance. PCI DSS 3.0 – Business as Usual – Clarifications on this new section within the 3.0 standard in the sense of no assessor validation or documentation will be required. A number of “hints” were dropped with regard to web-based vulnerabilities and how they will play a bigger role in ASV scans (and the revised baseline) going forward.
The task force will deal with this issue and communicate clear expectations to the rest of the industry. The SSC has created a task group to deal with the issue around “Scan Interference”. Some of the key announcements and observations were:ĪSV Changes – A lot of information was presented about upcoming changes to the Approved Scanning Vendor (ASV) baseline (which is currently in progress). There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes. The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards. The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon.