The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon.  The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards.  There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes.  Some of the key announcements and observations were:

  • ASV Changes – A lot of information was presented about upcoming changes to the Approved Scanning Vendor (ASV) baseline (which is currently in progress).  The SSC has created a task group to deal with the issue around “Scan Interference”.  The task force will deal with this issue and communicate clear expectations to the rest of the industry.  A number of “hints” were dropped with regard to web-based vulnerabilities and how they will play a bigger role in ASV scans (and the revised baseline) going forward.

  • PCI DSS 3.0 – Business as Usual – Clarifications on this new section within the 3.0 standard in the sense of no assessor validation or documentation will be required.  This is merely a section on implementation best practices for continuous PCI DSS compliance.

  • PCI DSS 3.0 – Template Changes – New to the 3.0 release, the SSC has created a reporting template that they would like all QSA organizations to use.  The reporting instructions had previously been outlined in a separate document.  They are now included within the standard itself.

  • PCI DSS 3.0 – Scope – The SSC made some significant improvements to its intent around PCI DSS scope of validation.  These clarifications were covered again during the assessor and general sessions.  Most importantly the following:  Systems that affect the security of the cardholder data environment should be considered as in-scope for the assessment.  During one of the Open Forum sessions, we asked if this would include A/V servers, patching servers, DNS systems, etc…and the SSC confirmed yes.  It’s important to note that they indicated that this will include originating web-servers for ecommerce outsourcing solutions. 

  • PCI DSS 3.0 – Phase-in Requirements – There are several new requirements that will be considered best practice only until June, 2015.  It’s important to review and analyze these new requirements now to prepare your organization for the upcoming impact to your compliance efforts.  Our favorite is the change to the penetration testing requirements:

Penetration testing must now validate segmentation technologies   

  • Avoid the Silver Bullet – We heard this phrase a lot during the SSC presentations and informal discussions with the card brands.  The SSC wants to dispel the myth that so many merchants seem to be falling prey to.  There is no such thing as a “Silver Bullet” solution that eliminates all PCI DSS scope and responsibility.

  • PA-DSS Template Changes – There was very little content presented on the upcoming changes to the PA-DSS.  We met several key SSC representatives that will allow us to provide direct feedback about the draft standard.  Coalfire has concerns and questions on two major areas in the new draft that we will clarify in the near future:

Hashing requirements for passwords – SDLC guidelines

  • PCI SSC Tokenization Standards – It seems surreal, but the SSC plans on releasing four tokenization standards in 2014. These standards will cover hashing strength and other considerations for using tokenization technologies to reduce scope.  These are not to be confused with the “Tokenization” guidelines recently announced by some card brands.

The original post by Matt Getzelman, PCI Practice Director, can be found here.

Advertisements