|
Just when you thought you have fully understood all the PCI compliance rules, the all new PCI DSS 2.0 will be released at the end of this month on 9/30. This is a major version change, going from 1.x to 2.x. Upon release companies
must ensure they are in compliance with the new rules. In order to ensure time to comply
a number of the new rules / changed rules will say something like "must be implemented by 1/1/11".
Of the 12 new changes to the standards, the best part of the new PCI DSS rules is a change to rule 2.2.1,
which specifically allows for virtualization. Such as using a VPS running Linux with Xen. Instead of having just 1 function per server, they now specify you can have multiple virtual servers on one physical server, each
performing separate functions. Prior to this the Payment Card Industry, didn't specifically allow or disallow the use of VPS, and their rule on it, was open to interpretation,
and your security team would need to make a judgement call if they thought you will still be in compliance by using Xen, or any other VPS. You will still need at least 2 physical servers, as your database server must be behind a hardware firewall, but you can have web on 1 VPS, email on
another, DNS on a third, etc.
Some people argue that using a VPS is less secure, because you risk having the main server hacked, and then in turn all the VPSs running on it are compromised. However SSH is probably the only
port you would have open on the main server, plus that should have an ACL denying all traffic except from one or a couple IPs, it would really be very very rare if were to happen, and it seems like the PCI DSS Council realized that too.
Nick Gill, CSO of PenguinWebHosting.com says, "I'm glad to see that they are explicitally allowing virtualization now, this helps make it affordable for small online businesses to meet
the PCI Standards".
Another big change, and luckily you won't have to do anything for it, is the PCI DSS life cycle will be 3 years instead of 2. The council felt 2 years was too short, and instead
of a 5 step process over 2 years, they are switching to an 8 phase life cycle over 3 years.
The PCI compliance rules have been relatively new and are definitely more general than specific. There has been a lot of gray area, as well as some redundancy in the rules
you need to follow. There is still a lot of generalization but hopefully some of that will be cleared up as PCI evolves in the 2.x standards.
Another change is to requirement 6.2, where you are required to rank and prioritize vulnerabilities according to risk. This should be incorporated into your policies as well.
So major vulnerabilities
are fixed without delay, and lower level potential vulnerabilities are fixed after the major ones. Also in section 6, they are merging 6.3.1 and 6.5 to include secure coding
standards other than OWASP, particularly CWE http://cwe.mitre.org/ and CERT
https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards.
So the good news here is, the changes are relatively minor and you aren't going to have to go out and buy tons of new hardware, hire a team of programmers, or go through retraining
with all your staff. For more information on the changes see: https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf Or download the entire new
specification at the end of the month here: https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html
|
