16 de agosto de 2010

Payment Card Industry Data Security Standard v2

Buenos días,

Para empezar la semana una de evolución normativa / regulatoria. En Octubre se va a publicar la siguiente versión del estándar de seguridad de la industria de pago con tarjeta (la del dinero de plástico, vamos), algunos cambios ya se han adelantado a alto nivel, los cuales os pego por aquí. Todo ello dentro de un ciclo de vida que se ha extendido de 2 a 3 años, más acorde con los criterios de madurez en el gobierno de la información actuales:

Requirement Impact

Reason for Change

Proposed Change

Category

PCI DSS Intro

Clarify Applicability of PCI DSS and cardholder data.

Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN.

Align language with PTS Secure Reading and Exchange of Data (SRED) module.

Clarification

Scope of Assessment

Ensure all locations of cardholder data are included in scope of PCI DSS assessments

Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment.

Additional Guidance

PCI DSS Intro and various requirements

Provide guidance on virtualization.

Expanded definition of system components to include virtual components.

Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization.

Additional Guidance

PCI DSS

Requirement 1

Further clarification of the DMZ.

Provide clarification on secure boundaries between internet and card holder data environment.

Clarification

PCI DSS

Requirement 3.2

Clarify applicability of PCI DSS to Issuers or Issuer Processors.

Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data.

Clarification

PCI DSS

Requirement 3.6

Clarify key management processes.

Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge.

Clarification

PCI DSS

Requirement 6.2

Apply a risk based approach for addressing vulnerabilities.

Update requirement to allow vulnerabilities to be ranked and prioritized according to risk.

Evolving Requirement

PCI DSS

Requirement 6.5

Merge requirements to eliminate redundancy and Expand examples of secure coding standards to include more than OWASP.

Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications.

Include examples of additional secure coding standards, such as CWE and CERT.

Clarification

PCI DSS

Requirement 12.3.10

Clarify remote copy, move, and storage of CHD.

Update requirement to allow business justification for copy, move, and storage of CHD during remote access.

Clarification

PA DSS

General

Payment Applications on Hardware Terminals.

Provide further guidance on PA-DSS applicability to hardware terminals.

Additional Guidance

PA-DSS

Requirement 4.4

Payment applications should facilitate centralized logging.

Add sub-requirement for payment applications to support centralized logging, in alignment with PCI DSS requirement 10.5.3.

Evolving Requirement

PA-DSS

Requirements

10 & 11

Merge PA-DSS Requirements 10 and 11

Combine requirements 10 and 11 (remote update and access requirements) to remove redundancies.

Clarification


Esto se traducirá en Objetivos de Control, Controles y requisitos de seguridad. Hay cosas curiosas como no basarse solo en OWASP para los test de intrusión de aplicaciones web, gestión del ciclo de vida de claves criptográficas, mayor separación de capas y clara definición de las DMZ, etc.

Habrá que estar atentos en los próximos meses. Más información aquí.

2 comentarios:

Homo libris dijo...

La verdad es que sí, llegan cambios y mejoras, ampliaciones y un periodo de estudio que no habrá que dejar pasar de largo.

Gracias, GigA, por la información y el resumen.

Saludos,

Lobosoft.

des dijo...

¡Hola GigA!. A mí también me parece muy bien que usen algo más que el Owasp Top Ten para los controles sobre aplicaciones web. Gracias por la info. Slds!