I’m sitting here in the back of the session where the 1.2 version of the standard is reviewed, and it looks like Network Segmentation is the stop down. After hearing many people state their case on segmentation, I really have to stand behind the Technical Working Group here. I’m not sure how much clearer it could be made. The standard states that: Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. The TWG was asked to clarify further and the only ...

Are you here? If so, drop me a line! I am here with our PCI Assessment & Remediation Practice Lead, Steve Levinson, and one of our PCI Consulting Managers, Rob Harvey. We’ll be manning the VeriSign booth during the networking hours, so please stop by! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

While the official release does not happen until two weeks from today, many key stakeholders now have a copy of the pre-release version. What can you expect? You can expect THIS blogger to honor his NDA! Seriously though, are you ready? Version 1.1 has been around for over two years now (birthday was September 7, 2006), and by now you should have been able to validate as compliant to that version of the standard. If you are still struggling with 1.1, there is good news along with the bad. The bad news is that in some cases your remediation targets may have shifted slightly in one direction. This will apply to you if you have been doing the absolute bare ...

Is anyone else still just wondering what exactly this means for your business? The summary does definitely answer a few questions, but I am wondering if someone was pressuring the council to release something, ANYTHING, about the new revision. One thing that concerns me as a QSA is the amount of variance that will be introduced in the interpretation of some of the clarifications. For example, right off the bat we see the opportunity for interpretation in the clarification under Requirement 1: Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization’s risk management policies. On the surface, ...