Friday, November 8, 2013

PCI DSS v3.0

The new version of PCI DSS is finally out there.

Nothing Earth shattering, but it’s good to see some necessary clarifications making their way into the document. Things worth mentioning:


-          Integrating the content of “Navigating DSS” into the standard – Great!

-          Changing from “file integrity monitoring”  to “change detection monitoring”  - Yes, please!!

-          Rationalizing that craziness in the policy requirements (distributing 12.1.1 stuff into the other requirements) – Very good, that’ll make QSA lifes easier

-          Changes to the pentesting requirements – Good, now it specified what’s expected from a penetration test

The whole PCI thing stinks, but at least 3.0 stinks less than 2.0 :-)