Here are some of the highlights based on my perspective:
- The vast majority of feedback pertained to PCI DSS vs. PA-DSS. Feedback came from a range of Participating Organizations (POs), QSAs and ASVs. Quite a lot of the feedback seemed to come, not surprisingly, from assessors.
- Based on the press release some of the main areas for comment are
- Revising the Self-Assessment Questionnaires (SAQs). Some commented they are too complicated (I assume they mean the qualifying criteria), but others pointed out additional requirements that may be needed.
- Clarifying who is a Service Provider under PCI DSS Requirement 12.8. Huh!?! What is it about "you can affect the security of the transaction" that you don't understand?
- Scoping. Let's all agree this is one of my hobby horses. I most recently wrote about it here and here. Hopefully there will a good discussion of this topic next week. Based on the feedback, more guidance is still needed.
- Cleaning up the password requirements in PCI DSS Requirement 8.5. I really agree with this one meriting a fresh look since the level of detail seems too much for many organizations. We'll see what happens.
- Determining what constitutes a "significant change" that triggers the need for a re-scan or even a new penetration test (PCI DSS Requirement 11.2). Anytime we use imprecise terms like "significant," it is a double-edged sword: it offers flexibility, but it can be abused.
I noted that this feedback is Phase 6. The next two phases involve drafting proposed revisions to the two standards (Phase 7), and then the final review (Phase 8).
Thanks to all who forwarded your feedback to Tom Davis and me. We'll report back to you after -- and likely during -- next weeks Community Meeting...aka, PCI Woodstock...
Posts
No comments:
Post a Comment