For those of you that are not QSAs, the PCI SSC over the last year has tried to keep QSAs in the loop by issuing a monthly Assessor Update newsletter via email. These usually are not noteworthy, but the November 2010 issue contains a number of items that need to be shared just in case you miss your edition or you are not a QSA.
PCI DSS Timeline Clarification
The Council apparently got the message that they did not communicate the sunset date for the PCI DSS v1.2.1 and the start date for PCI DSS v2.0 very well. As a result, they issued a clarification in the November 2010 newsletter. To quote the Council:
“Entities needing to comply with the PCI DSS are strongly encouraged to begin using the new standard immediately. However, version 1.2.1 will remain effective until December 31st, 2011 to allow everyone time to adopt any changes they may need to in order to maintain their PCI DSS compliance. This means that organizations assessing and reporting compliance during 2011 may validate to either version 1.2.1 or 2.0. However, the Council urges all organizations to complete their transition to the new standard as quickly as possible, especially where any new controls may enhance the protection of cardholder data.”
Since QSAs will not have the scoring template until sometime in January 2011, it makes planning and executing any assessments difficult until the scoring template is issued. As a result, the earliest I can see any v2.0 assessments getting started is March 2011.
PCI DSS and PA-DSS v2.0 Scoring Templates
And speaking of those scoring templates, the scoring templates for v2.0 of the PCI DSS and PA-DSS should be published sometime in January 2011. It would be nice to have these a bit earlier, but better late than never.
Expiration Of PABP v1.4 Extended 90 Days
The PABP v1.4 standard that was expected to expire tomorrow, December 2, 2010, has been extended to March 2, 2011. To quote the Council:
“This updated deadline recognizes the challenges many merchants and Payment Application end users have in implementing system changes over the busy holiday period, and allows the Payment Application vendor community to consider submitting new versions of their products for assessment against the new PA-DSS 2.0 standard.
The Council is committed to reviewing all submissions for the updated versions of expiring PABP v1.4 applications, and this new March 2nd 2011 deadline will allow the review process to be completed before previous versions of these applications expire. This extension will also provide more time for PA-QSAs to complete reviews of those Payment Applications that are currently in process. Finally, this extension will allow Payment Application vendors, should they choose to hold off on assessment of expiring Payment Applications and instead submit (after January 1st, 2011) their Payment Applications for assessment against the new PA-DSS v2.0 standard.”
ASV Sampling And Scanning Do Not Mix
While sampling of devices is allowed under the PCI DSS, it is not allowed for ASV scans. To quote the Council:
“Within a given quarter, all Internet accessible systems must pass an ASV scan. It is not necessary that they all be scanned at the same time, but they all must be scanned quarterly.”
Apparently, some ASVs were only scanning a sampling of PCI in-scope devices each quarter. I am sure this will lead to consolidation of a lot of organization’s external network presence.
2011 PCI SSC Training Schedule
The training schedule for next year should be posted to the PCI SSC’s Web site by mid-December.
Telecom Private Circuit FAQ Issued
See the end of my post on MPLS for the text of the FAQ.