They totally are!  Giving us this little tiny preview of upcoming changes without really getting too specific.  It’s like me saying, “Dude, that chick is HOT!” Then when you ask me to describe her I say, “It’s a lady all right!”

Teased, by urbanlatinfemale

OK, back to the real reason you are reading this, the changes to PCI DSS and PA-DSS slated to drop on October 28 are outlined here.

The majority of the document reviews the new lifecycle, how and why changes are made, and the three general types of changes outlined: clarifications, additional guidance (which is just a fancy way to say clarification), and a requirement that is evolving based on new threats or a change in the market. This release represents a positive step by the Council to help key stakeholders understand what is coming, but falters on the execution a bit.

Those that have been working with PCI DSS for any period of time quickly learn that the devil is in the details. While this overview is helpful for us to understand where the Council is moving, most of the actual change will be driven by interpretation. On the surface, a significant amount of the change appears to adjust the wording to reflect the intent of the requirements. This is increasingly important in areas that are seeing increased drive and focus on compliance. As new QSAs are certified, the changes will help make up for interpretation nuances that experience will eventually yield.

One particularly noteworthy change is the note on the scope of an assessment. While we don’t know the ACTUAL change yet, it doesn’t appear that some kind of DLP tool will be required to validate scope. That said, it certainly would play a key component in scope validation in addition to interviews. I don’t believe QSAs could attest and validate scope without tools in conjunction with interviews ((At least not in good conscious.)).

Another change that specifically popped out at me was the centralized logging requirement for PA-DSS. It may signify a lack of attention to detail by QSAs assessing companies that deploy products capable of complying with PA-DSS. Many PA-DSS compliant applications can be configured in a non-compliant way, and with downward price pressure on QSAs ((And arguably, the commoditization of the service.)), sometimes shortcuts happen. I’m not saying that I’ve ever done it, but I’ve walked into a customer that had their entire POS environment ignored because the assessor saw it on the PA-DSS compliant application list ((Hint, it was storing PANs in an area that it was not supposed to be…)).

I wouldn’t rush to download and read the five page release, but put it in your “to read sometime” pile. Your best bet may be to register for the webcast on August 24th, but unless Russo get’s something more than a prepared statement based on this document, that’s probably not even worth attending (except to see if someone torpedos his notes like the last one).

This post originally appeared on

Possibly Related Posts: