Saturday, October 9, 2010

PCI DSS & PA DSS version 2.0

Slowly but surely, PCI (Payment Card Industry) standards are getting more and more mature. As it stands today, PCI SSC (Secure Standard Council) maintains 3 security standards:
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Payment Application Data Security Standard (PA DSS)
  • PIN Transaction Security (PTS)

Those who expected the council to release a minor updates of PCI DSS and PA DSS (i.e. version 1.2.1 to version 1.3) and now dreading the “oh mighty” version 2.0 can rest at east as the majority of the changes are no more that clarification and restructure of the standards.

The biggest change is to the Approved Scanning Vendor (ASV) program where vendors, who previously could offer simple vulnerability scanning services, are now required to adopt a more comprehensive approach. The scanning vendors will be required to educate their employees by going through PCI SCC training and certification process, work closely with merchants and service providers through remediation and rescanning, and provide their customers with standardized report and Attestation of Scanning Compliance (AoSC). Not only that, the vendors are expected to include environment discovery and verification of the scanning scope with the customer. From a security standpoint, those are welcome changes...

No comments:

Post a Comment