As a QSA who has led numerous PCI certification processes, I chose to hold a round-table yesterday in Israel for leading enterprises required to comply with the PCI standard, in order to present and highlight the significant differences between the versions and assist these organizations with the adaptation to and preparation for the new requirements. Version 2.0 will be valid from January 2011, however organizations already in process with version 1.2 will be able to continue certification with this version until the end of 2011.
- Clarifications regarding Cardholder Data (CHD) environment scoping.
- Guidelines regarding virtualization with an emphasis on hardening procedures and configurations.
- Further details on DMZs, namely separation of organizational and internet networks.
- Guidelines for organizations that issue credit cards regarding the storage of Sensitive Authorization Data (SAD).
- Increased flexibility regarding cryptographic key management with regards to change management procedures and dual control.
- Increased flexibility that enables the implementation of a risk management program as an alternative to critical patch installation in the short-term, according to requirement 6.1, that requires that critical patches be installed within one month from their release.
- Recognition of other other leading international standards, such as CWE and CERT for the purpose of Security Code Review. In addition, version 2.0 requires an application security expert's involvement in processes of security code review, in addition to an automated tool.
- Increased flexibility with regards to the saving, storing, and consequent deletion of CHD with remote access upon business need only; until now, according to requirement 12.3.10 it has been prohibited to save CHD locally in any circumstance.
Click here to download the full presentation.