Para empezar la semana una de evolución normativa / regulatoria. En Octubre se va a publicar la siguiente versión del estándar de seguridad de la industria de pago con tarjeta (la del dinero de plástico, vamos), algunos cambios ya se han adelantado a alto nivel, los cuales os pego por aquí. Todo ello dentro de un ciclo de vida que se ha extendido de
Requirement Impact | Reason for Change | Proposed Change | Category |
PCI DSS Intro | Clarify Applicability of PCI DSS and cardholder data. | Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. | Clarification |
Scope of Assessment | Ensure all locations of cardholder data are included in scope of PCI DSS assessments | Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. | Additional Guidance |
PCI DSS Intro and various requirements | Provide guidance on virtualization. | Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization. | Additional Guidance |
PCI DSS Requirement 1 | Further clarification of the DMZ. | Provide clarification on secure boundaries between internet and card holder data environment. | Clarification |
PCI DSS Requirement 3.2 | Clarify applicability of PCI DSS to Issuers or Issuer Processors. | Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data. | Clarification |
PCI DSS Requirement 3.6 | Clarify key management processes. | Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. | Clarification |
PCI DSS Requirement 6.2 | Apply a risk based approach for addressing vulnerabilities. | Update requirement to allow vulnerabilities to be ranked and prioritized according to risk. | Evolving Requirement |
PCI DSS Requirement 6.5 | Merge requirements to eliminate redundancy and Expand examples of secure coding standards to include more than OWASP. | Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT. | Clarification |
PCI DSS Requirement 12.3.10 | Clarify remote copy, move, and storage of CHD. | Update requirement to allow business justification for copy, move, and storage of CHD during remote access. | Clarification |
PA DSS General | Payment Applications on Hardware Terminals. | Provide further guidance on PA-DSS applicability to hardware terminals. | Additional Guidance |
PA-DSS Requirement 4.4 | Payment applications should facilitate centralized logging. | Add sub-requirement for payment applications to support centralized logging, in alignment with PCI DSS requirement 10.5.3. | Evolving Requirement |
PA-DSS Requirements 10 & 11 | Merge PA-DSS Requirements 10 and 11 | Combine requirements 10 and 11 (remote update and access requirements) to remove redundancies. | Clarification |
Esto se traducirá en Objetivos de Control, Controles y requisitos de seguridad. Hay cosas curiosas como no basarse solo en OWASP para los test de intrusión de aplicaciones web, gestión del ciclo de vida de claves criptográficas, mayor separación de capas y clara definición de las DMZ, etc.
Habrá que estar atentos en los próximos meses. Más información aquí.