A change of scenery, by kevindooley

A change of scenery, by kevindooley

Don’t worry, you don’t need to tear up your existing compliance assessment.  Troy Leach recently alerted the world, via press release, that PCI DSS version 1.2.1 is now the most recent version of PCI DSS, though he states, “As there are no changes to the intention or requirements of the DSS, your compliance programs will be unaffected by the change from DSS 1.2 to DSS 1.2.1.” 

This change is minor in nature, and does not constitute a new version per the PCI Lifecycle document released earlier this year.  Most of the changes are typos or alterations in the document, some based on new policies or fees. 

Let’s walk through the changes.

Three documents were modified with this new version.  For PCI DSS, the following four changes were made:

  1. Page 5: Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2.
  2. Page 32: Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b.
  3. Page 33: Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b.
  4. Page 64: For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.”

PA-DSS, and the PA-DSS Program Guide version 1.2.1 includes the following changes:

  1. Page 9: In “To which Applications does PA-DSS Apply?” section, provide further clarity about what is considered a “payment application.”
  2. Pages 4 & 12: Add reference to the new PA-DSS Listing Summary, in “Related Publications” and “Release Agreement and Delivery of Report” sections. The PA-DSS Listing Summary is for PA-QSAs to submit with report, to specify report and listing information for PCI SSC to use. The form is not included in PA-DSS Program Guide but is available here.
  3. Page 9: Add fraud-scoring or detection applications as examples of non-payment applications that may be part of a payment application suite.
  4. Page 13: Clarify language in “Fees” section to eliminate previous “quarterly” wording, add annual maintenance fee of $500, clarify that grandfathered PABP applications will be charged a one-time fee of $1,250 (rather than an annual fee), add reference to Figure 4 for details about renewing expired applications, and add a $125 listing fee for minor updates.
  5. Page 14: Add column to the table of figures, to refer to page numbers with additional Program Guide content related to each figure.
  6. Pages 16, 21, 22, 37:  Change terminology used previously for changes to listed payment applications to “minor update” in “Overview of PA-DSS Processes,” Figure 2, and “Changes to Listed Payment Applications”; added terms “major update,” “minor update,” and “no update.” Clarified process in “Minor Update – No Impact to PA-DSS Requirements.” Changed title related to self-attestation form in Appendix C to “Self-Attestation for Minor Update.”
  7. Pages 17, 18, 23, 24, 35: Changed “Not acceptable for new deployments” to “Acceptable only for pre-existing” deployments.”
  8. Page 20: In “PA-DSS Report Acceptance Process Overview” section, changed “release agreement” to “vendor release agreement” to match language in “Legal Terms and Conditions” section.
  9. Page 23: In “Renewing Expired Applications” section, added second sentence to Item 2.
  10. Pages 24, 25: Clarify language in sections for “Payment Applications undergoing PABP Reviews During Transition” and “PA-DSS Transition Procedures.” Deleted part of footnote that referred to PABP 1.4 and the October 15, 2008 date, since the date is past. Clarify that PCI SSC will not accept PABP Transition Procedures after September 30, 2009.
  11. Page 28, 32: In “PA-DSS Reporting Processes” section and Appendix A, clarify process and change language used for contents of List of Validated Payment Applications to match language used in posted list. Expanded Appendix A to include tables with details about payment application types and the reference number.
  12. Page 29: In section formerly called “Notification Following a Security Breach or Compromise,” add “vulnerability” throughout—now the language is “security breach, compromise, or known vulnerability.”
  13. Page 31: Change language in “Legal Terms and Conditions” section to match that currently included in the PA-DSS Vendor Release Agreement.

Remember folks, the feedback phase is open until October 31, 2009, so take advantage and submit your feedback!

This post originally appeared on BrandenWilliams.com.