The new version of PCI DSS is finally out there.
Nothing Earth shattering, but it’s good to see some necessary clarifications making their way into the document. Things worth mentioning:
- Integrating the content of “Navigating DSS” into the standard – Great!
- Changing from “file integrity monitoring” to “change detection monitoring” - Yes, please!!
- Rationalizing that craziness in the policy requirements (distributing 12.1.1 stuff into the other requirements) – Very good, that’ll make QSA lifes easier
- Changes to the pentesting requirements – Good, now it specified what’s expected from a penetration test
The whole PCI thing stinks, but at least 3.0 stinks less than 2.0 :-)