The Payment Card Industry Data Security Standards council has modified and created a new PCI DSS SAQ version 2.0. Now that most of us out there are PCI compliant it’s time to check and see what version of the Self Assessment Questionnaire (SAQ) you are currently using. The old version is 1.2 so if this is the version you are currently PCI compliant with, you’ll have to update in 2012. Though the official implementation date was January 1st 2011, all of the older versions will be grandfathered in until the end of 2011. This means that as long as you have a valid SAQ version 1.2 registered with the PCI Security Standards council before the end of 2011, you PCI compliance is not in jeopardy.
There will be some changes in version 2.0 and we will review the Summary of Changes Highlights information over the next few weeks on this blog.
The PCI Security Standards Council (SSC) declares that, “Stakeholders will notice that the changes to the PCI DSS 2.0 and PA-DSS 2.0 [PA-DSS stands for Payment (software) Application Data Security Standard] are relatively straightforward and do not introduce significant changes. This reflects the growing maturity of the standards as a strong framework for protecting cardholder data. The updated versions of PCI DSS and PA-DSS will:
- Provide greater clarity on PCI DSS and PA-DSS requirements
- Improve flexibility for merchants
- Help manage evolving risks / threats
- Align with changes in industry best practices
- Clarify scoping and reporting
- Eliminate redundant sub-requirements and consolidate documentation
The highlight table below shows some details of the changes and reasons that prompted the changes:
|Requirement Impact||Reason for Change||Proposed Change||Category|
|PCI DSS Intro||Clarify Applicability of PCI DSS and cardholder data.||Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN.
Align language with PTS Secure Reading and Exchange of Data (SRED) module.
|Scope of Assessment||Ensure all locations of cardholder data are included in scope of PCI DSS assessments||Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment.||Additional Guidance|
|PCI DSS Intro and various requirements||Provide guidance on virtualization.||Expanded definition of system components to include virtual components.
Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization.
|Further clarification of the DMZ.||Provide clarification on secure boundaries between internet and card holder data environment.||Clarification|
|Clarify applicability of PCI DSS to Issuers or Issuer Processors.||Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data.||Clarification|
This is only a partial overview. Please come back next week for more and use this site for all of your PCI compliance needs.