The new version of PCI DSS is finally out there.

Nothing Earth shattering, but it’s good to see some necessary clarifications making their way into the document. Things worth mentioning:

-          Integrating the content of “Navigating DSS” into the standard – Great!

-          Changing from “file integrity monitoring”  to “change detection monitoring”  - Yes, please!!

-          Rationalizing that craziness in the policy requirements (distributing 12.1.1 stuff into the other requirements) – Very good, that’ll make QSA lifes easier

-          Changes to the pentesting requirements – Good, now it specified what’s expected from a penetration test

The whole PCI thing stinks, but at least 3.0 stinks less than 2.0 :-)