what’s new in pci dss v2
TRANSCRIPT
What’s New inPCI DSS v2
What’s New in PCI DSS v2
Cindy ValladaresSolutions Marketing
IT SECURITY & COMPLIANCE AUTOMATION3
Agenda
Effective Dates
What’s New
Impact on Tripwire Products
Roadmap for Products Compatibility with PCI DSS v2
Other PCI Council Documents
IT SECURITY & COMPLIANCE AUTOMATION4
Effective Dates
Published on October 28, 2010
Effective date: January 1, 2011
Valid for 3 years
PCI DSS v1.2.1 to be retired on Dec 31, 2011
Mix & Match Versions?
• Yes for implementation, as long as most stringent control is used
• No for compliance validation
Feedback period for next version begins Nov 2011
IT SECURITY & COMPLIANCE AUTOMATION5
What’s New in PCI DSS version 2
Evolutionary, not Revolutionary
No Major Changes
3 Change Categories:
• Evolving Requirement
• Additional Guidance
• Clarification
IT SECURITY & COMPLIANCE AUTOMATION6
Evolving Requirement
Mainly requirement 6.2, but also Reqs 6.5.6 and 11.2
Risk-based approach for addressing vulnerabilities
Sunrise date of July 1, 2012
IT SECURITY & COMPLIANCE AUTOMATION7
Additional Guidance
Scoping the cardholder data environment (CDE)
Sampling of business facilities and system components
Virtualization
Detection of rogue wireless points
Relationship between PCI DSS and PA-DSS
IT SECURITY & COMPLIANCE AUTOMATION8
Clarifications
PCI DSS applicability
Clarify the boundaries between the Internet and the CDE (1.3)
Issuers and sensitive authentication data (3.2)
Rendering PAN unreadable (3.4)
Additional sources for secure coding for non web-based apps (6.5)
Time synchronization services (10.4)
Other clarifications: ROC, key management, anti-virus logs, ID targets for intrusion detection, policy for remote access to CHD, AOCs, SAQs
IT SECURITY & COMPLIANCE AUTOMATION9
Impact on Tripwire Enterprise
Tripwire Enterprise has 38 PCI policies
Policy Compliance Impact on Requirements 2, 4, 7, 8 and 10
• Requirement 2 – 6 changes
• Requirement 4 – 1 change
• Requirement 7 – no changes
• Requirement 8 – 2 changes
• Requirement 10 – 4 changes
42 document organizational changes
• Most in the context of test procedures
• Don’t affect our policies greatly
IT SECURITY & COMPLIANCE AUTOMATION10
Tripwire Enterprise Support for PCI DSS v2
Two Priority Groups
• Group 1: Windows, Red Hat, Solaris, others?
• Group 2: all others
Group 1 scheduled for Q1 2011
Group 2 scheduled for Q2 2011
Update will include both TE v8 and v7.7
Will maintain PCI DSS v1.2.1 content for all 2011
IT SECURITY & COMPLIANCE AUTOMATION11
Impact on Tripwire Log Center
Little or no impact expected
4 organizational changes in Requirement 10
Enhanced Support for PCI DSS v2 in Tripwire Log Center’s PCI Solution Pack v2
PCI DSS v2 requirements for log management is more comprehensive than previous version
PCI DSS v1.2.1 support will be addressed in documentation
“Out of the gate” support on Oct 28th – TBC
IT SECURITY & COMPLIANCE AUTOMATION12
Marketing Activities
Customer webcast on November 9th
Blogposts & Social Media
Marketing & Sales Collateral
• Most collateral doesn’t refer to a specific version
• PCI DSS Detailed Matrix
IT SECURITY & COMPLIANCE AUTOMATION13
Additional Documentation Issued by the PCI Council
Point to Point Encryption Initial Roadmap
EMV Guidance
Tokenization – Expected on November 2010
IT SECURITY & COMPLIANCE AUTOMATION14
Compliance Metaphor