The Coalfire Blog
Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, Retail, Financial Services, Healthcare, Higher Education, Payments, Government.
The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.
The Coalfire Blog
2013 PCI SSC North America Meeting – Wrap-Up
October 21, 2013, Matt Getzelman, PCI Practice Director
Coalfire sent the entire team to the meeting in Las Vegas and everyone reported a positive and engaging experience. We hosted our annual dinner where we caught up with clients and friends – a good time was had by all.
The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon. The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards. There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes.
Some of the key announcements and observations were:
ASV Changes – A lot of information was presented about upcoming changes to the Approved Scanning Vendor (ASV) baseline (which is currently in progress). The SSC has created a task group to deal with the issue around “Scan Interference”. The task force will deal with this issue and communicate clear expectations to the rest of the industry. A number of “hints” were dropped with regard to web-based vulnerabilities and how they will play a bigger role in ASV scans (and the revised baseline) going forward.
PCI DSS 3.0 – Business as Usual – Clarifications on this new section within the 3.0 standard in the sense of no assessor validation or documentation will be required. This is merely a section on implementation best practices for continuous PCI DSS compliance.
PCI DSS 3.0 – Template Changes – New to the 3.0 release, the SSC has created a reporting template that they would like all QSA organizations to use. The reporting instructions had previously been outlined in a separate document. They are now included within the standard itself.
PCI DSS 3.0 – Scope – The SSC made some significant improvements to its intent around PCI DSS scope of validation. These clarifications were covered again during the assessor and general sessions. Most importantly the following: Systems that affect the security of the cardholder data environment should be considered as in-scope for the assessment. During one of the Open Forum sessions, we asked if this would include A/V servers, patching servers, DNS systems, etc…and the SSC confirmed yes. It’s important to note that they indicated that this will include originating web-servers for ecommerce outsourcing solutions.
PCI DSS 3.0 – Phase-in Requirements – There are several new requirements that will be considered best practice only until June, 2015. It’s important to review and analyze these new requirements now to prepare your organization for the upcoming impact to your compliance efforts. Our favorite is the change to the penetration testing requirements:
“Penetration testing must now validate segmentation technologies”.
Avoid the Silver Bullet – We heard this phrase a lot during the SSC presentations and informal discussions with the card brands. The SSC wants to dispel the myth that so many merchants seem to be falling prey to. There is no such thing as a “Silver Bullet” solution that eliminates all PCI DSS scope and responsibility.
PA-DSS Template Changes – There was very little content presented on the upcoming changes to the PA-DSS. We met several key SSC representatives that will allow us to provide direct feedback about the draft standard. Coalfire has concerns and questions on two major areas in the new draft that we will clarify in the near future:
- Hashing requirements for passwords
- SDLC guidelines
PCI SSC Tokenization Standards – It seems surreal, but the SSC plans on releasing four tokenization standards in 2014. These standards will cover hashing strength and other considerations for using tokenization technologies to reduce scope. These are not to be confused with the “Tokenization” guidelines recently announced by some card brands.
All said it was time well spent getting the information we’ll need to educate our clients about the important changes coming in the world of PCI DSS compliance. We’ll be attending the 2013 PCI SSC European Community meeting in Nice, France next week and we hope to see you there! Look for additional updates and information, plus a PCI 3.0 update webinar on November 12th, following the conference.
<< Go Back
Blog post currently doesn't have any comments.