OK folks, if you are a participating organization, or some other kind of stakeholder, you should now be able to grab the latest draft of the PCI DSS for the upcoming 3.0 revision. If you are not some kind of stakeholder, you can still get a copy but you have to be a little more sneaky. I have found copies outside already that are available if you know what to do.

lifecycleNow, before someone from the Council get’s all worried, I’m not at liberty to actually disclose what is inside PCI DSS 3.0. Even though I was given multiple copies outside of my current relationship with the Council, I’m going to stick by my agreement and only talk in general terms. Look for a blog post later this week on more things Council related, but suffice it to say, they aren’t doing themselves any favors by trying to keep the draft under wraps.

At first, looking at where the new draft is going, I would argue there are a ton of great improvements that are largely covered in the press release from last month. The requirements for maintaining a list of in-scope items and for data flow diagrams (here’s an article that will get you a head start) are as expected with little room for interpretation variance. As I’ve said before, I don’t know how you maintain a compliant environment without those, but they are now formal requirements. Several “duh” items as I mentioned here are covered well. But as we thought, some of the questionable items I pointed out are pretty questionable indeed.

One of the stated objectives was to remove ambiguity and interpretation issues. There is definitely some positive work toward this objective in that they made an attempt to combine the requirements doc with the Navigating PCI DSS document. We will see if it ends up in the final draft, because I think this is very helpful! But as with the positives there are some negatives.

Judge me not, by Steve Punter

Judge me not, by Steve Punter

Do you remember, many years ago, that the Council aimed to remove ambiguity in the standard by eliminating words like “should” and “periodic” in favor of words like “must” and “annually?” We were on a really good track for a while there. But as it stands right now, the ambiguity is back—and in a very big way. I would encourage you to download the draft and count up the numbers of “should”s and “periodic”s you find (hint: it’s a BIG increase… like, really big). Again, we don’t know if these will stick, and I’ve been told that adjustments to the standard go down to the wire before it is released.

So what’s your call to action? According to the Council, they want you to come to the Community meetings armed with your questions and comments. When you go through the draft and realize that this is really a bigger overhaul of the standard than I think many of us expected, I believe that the framers will be overwhelmed very quickly. So be nice, but be direct. Don’t complain, just ask for clarification and offer suggestions to remove ambiguity or to clarify. While the process of taking feedback and incorporating it is still quite magical (kind of like the Underpants Gnomes), it is the method given to us by the Council.

The comments below are open! Go nuts, folks!

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: