A couple of weeks ago, the new PCI DSS 2.0 spec was released.  Fortunately for those who have been through the painstaking process of gaining compliance, some of the more vague areas of the specification have been tightened up a bit, and some areas have been expanded to be more inclusive of new architectural approaches.  What follows is a quick list of some of the more important changes (as I see them):

  • Scope of Assessment for Compliance: Finally, virtualization components have been added to the definition of system components!  Also, a clarification is made to the definition of the cardholder data environment (“people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.”).
  • General re: Network Segmentation: Clarification that segmentation may be achieved either through physical or logical means.
  • General re: Wireless: Focused now on presence of WLAN rather than a LAN.
  • Section 2.2.1:  Clarification of intent of “one primary function per server” and addition of use of virtualization technologies.
  • Section 6.5.1: Removed dependency on OWASP and included additional industry examples such as SANS CWE and CERT.
  • Section 9: Introduction of new term, “onsite personnel” to replace the former term, “employee”.

Additionally, in several places, language was amended to further clarify the requirements and examples where further clarification was needed.  This was very necessary as I often spoke to one QSA who had one interpretation of a requirement while another QSA had a slightly different interpretation.   Interpretation is important as, the more consistently PCI standards are implemented, the more predictable the cost of acquiring and maintaining compliance will be — plus, the eCommerce world will be safer for cardholders and issuing banks.

The new specification is available here.