On January 1, 2012 ce, the next version of PCI DSS, 2.0, will come into effect. Are you ready?
The Coming Storm: PCI DSS 2.0
I have always felt that PCI-DSS was no more than a lip service to proper security. Some HP employees will recall me saying that I think that PCI has as much to do with security as a monkey has to do with blueberry juice. I slay myself.
While I do not believe PCI-DSS is prescriptive or a panacea to whatever ails your organization, I have to admit that more money and effort has been spent on security and privacy due to PCI.
On January 1st, the new version of PCI DSS will become effective. What’s the big deal, you ask?
Some of us had to deal with the 12 current requirements of PCI:
And especially in the USA (although European adoption is, reportedly, growing). In fact, to some organization, the annual ritual of ‘let’s pass PCI’ has become the only rallying call for security. Indeed, some treat it as the ‘Gospel’.
The Twelve Requirements today
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
PCI DSS 2.0 – The Storm
The huge change coming this year is not found in any of the twelve. We have to read the document closer to understand, in fact, the change is ‘hidden’ in the SCOPE section. So here goes (emphasis mine):
“the first step of a PCI DSS review is to accurately determine the scope of the assessment, by identifying all locations and flows of cardholder data and ensuring that all such locations are included in the assessment.”
Now, a QSA will need to certify per a new auditing requirement, 3.1.1, that:
- a quarterly automatic or manual process for identifying, and
- and [that a quarterly automatic or manual process for] securely deleting stored cardholder data …exists
While this may seem to some as another ‘no auditor left behind act’, meant to further enrich QSA, this is actually a welcome and needed change.
How to Stay Dry
Some of the most frequent requests I receive nowadays relate here. What we need to do for starters is:
- understand the new requirement
- Create a policy as to what to keep, and what not, and for how long
- Look for data. This might seem simple at first, but consider that data can reside:
- in a database
- in a flat file
- in an encrypted form
- in log files
- on laptops and cell phone
- in non-SQL databases
- in your old backup tapes,
I am offering, in conjunction with Caliber Security, a quick-start program aimed at assisting organizations getting their hand on this requirement before the time to annual certification come. So please contact me here and help in addressing PCI DSS 2.0 is on the way.