Is anyone else still just wondering what exactly this means for your business? The summary does definitely answer a few questions, but I am wondering if someone was pressuring the council to release something, ANYTHING, about the new revision.

One thing that concerns me as a QSA is the amount of variance that will be introduced in the interpretation of some of the clarifications. For example, right off the bat we see the opportunity for interpretation in the clarification under Requirement 1:

Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization’s risk management policies.

On the surface, this looks great. It allows for customization (or variance, or interpretation, or shades of gray, or you get the point). But it could easily be a way for a QSA to become lenient for the sake of winning a deal. Should some organizations still do quarterly reviews? Absolutely! Especially large ones with frequent changes. I know that some merchants will choose a QSA based on how certain requirements are read, but I hope that merchants realize that a lenient read of a requirement could cause their foot to explode from a breach bullet if such an event were to happen.

I hear the caliber of those breach bullets is pretty high.

One of the bigger changes ones that is perfectly laid out is the sunset date for WEP. THANK GOODNESS! Yes, I realize that companies are STILL deploying new WEP installations, but they have no business in any environment where sensitive data exists—meaning storage and transmission of networks missing segmentation. There will now be a requirement to replace all of those devices by June 30, 2010.

Requirement 5 now seems to have more strength in it, but I’ll wait to see the testing procedures. I don’t believe the council will be requiring A/V on mainframes, but I do believe that other operating systems like Linux and Mac OS X could now come into scope. VeriSign’s belief is if it is a desktop operating system with access to the internet (including indirectly through email), it should have some kind of A/V on it.

In Requirement 11, there are so many goodies there that we will just have to wait for the SAP. Internal Penetration Testing is a really fun one that I fear will cause many merchants to have a slight case of freakout (or death-panic as I like to call it). Also, are we getting closer to Wireless IPS in environments where cardholder data exists? I’m getting so excited! It feels like Christmas morning over here.

My favorite change is the one listed under Requirement 7: Clarified language around testing procedures. We’ll just have to wait for the new SAP to be released before we can let out that deep breath we’re all holding!

This post originally appeared on