没有合适的资源?快使用搜索试试~ 我知道了~
pci_dss_v2_summary_of_changes.pdf
需积分: 10 7 下载量 201 浏览量
2011-01-09
17:19:06
上传
评论
收藏 397KB PDF 举报
温馨提示
试读
20页
PCI DSS已经升级到了2.0版本,本汇总主要集中在DSS要求变更的具体说明。
资源推荐
资源详情
资源评论
Payment Card Industry (PCI)
Data Security Standard
Summary of Changes from
PCI DSS Version 1.2.1 to 2.0
October 2010
Summary of Changes from PCI DSS Version 1.2.1 to 2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC Page 2 of 20
Section or Requirement
Change
Type
i
Old
New
General
General
Throughout
Removed specific references to the Glossary as
references are generally not provided for other
glossary terms.
Clarification
General
General
Attestations of Compliance
Attestations of Compliance removed from
appendices and separate documents created.
References and Appendix titles updated
accordingly throughout document.
Clarification
General
General
Introduction and PCI Data Security Standard
Overview
Added information about the role of PCI DSS in
the protection of cardholder data.
Updated „High Level Overview‟ graphic to reflect
requirement titles.
Clarified that the PCI DSS is an assessment tool
for use during compliance assessments.
Added information about resources available on
the PCI SSC website.
Additional
Guidance
General
General
PCI DSS Applicability Information
Added term “account data” to align with PTS
Secure Exchange and Reading of Data (SRED)
module.
Provided more details on “cardholder data” and
“sensitive authentication data.”
Clarified that primary account data (PAN) is the
defining factor for the applicability of PCI DSS.
Removed footnote addressing other legislation
and replaced with updated paragraph text.
Updated paragraph text and applicability table to
clarify which data elements must be rendered
unreadable according to PCI DSS Requirement
3.4.
Clarification
N/A
General
Relationship between PCI DSS and PA-DSS
Added new section to reflect content in PA-DSS.
Clarified that use of a PA-DSS compliant
application alone does not make an entity PCI
DSS compliant.
Additional
Guidance
Summary of Changes from PCI DSS Version 1.2.1 to 2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC Page 3 of 20
Section or Requirement
Change
Type
i
Old
New
General
General
Scope of Assessment for Compliance with PCI
DSS Requirements
Added “virtualization components” to the
definition of “system components.”
Clarified that the cardholder data environment is
comprised of “people, processes and
technology that store, process, or transmit
cardholder data or sensitive authentication
data.”
Additional
Guidance
General
General
Scope of Assessment for Compliance with PCI
DSS Requirements
Added detailed paragraph to clarify that the first step
of a PCI DSS review is to accurately determine the
scope of the assessment, by identifying all locations
and flows of cardholder data and ensuring that all
such locations are included in the assessment.
Additional
Guidance
General
General
Network Segmentation
Added clarifications including that segmentation
may be achieved through physical or logical
means.
Minor replacements to some wording to clarify
meaning.
Clarification
General
General
Wireless
Clarified focus on presence of a WLAN rather than a
LAN.
Clarification
General
General
Third Parties/Outsourcing
Minor changes to terminology for consistency.
Clarification
General
General
Sampling of Business Facilities and System
Components
Clarified that sampling is conducted
independently by the assessor and that
sampling must first be performed for business
facilities and then for system components within
each selected facility.
Clarified that sampling does not reduce the
scope of the cardholder data environment or the
applicability of PCI DSS, and that sampling of
the individual PCI DSS requirements is not
permitted.
Clarified specific criteria that assessors must
document when using sampling. Added criteria
that assessors must revalidate the sampling
rationale for each assessment.
Additional
Guidance
Summary of Changes from PCI DSS Version 1.2.1 to 2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC Page 4 of 20
Section or Requirement
Change
Type
i
Old
New
General
General
Instructions and Content for Report on
Compliance
Added criteria for assessor to report how the
accuracy of the PCI DSS scope was validated
for the assessment, in part 2.
Updated reporting detail for sampling rationale
and validation of sample size in part 2, to align
with clarified content in Sampling section.
Clarified in part 3 that list of individuals
interviewed should include their organizations
and topics covered.
Moved “Timeframe of Assessment” from Part 2
to part 4, and added that the timeframe should
indicate the duration and specify the time period
over which the assessment occurred.
Changed “PCI DSS Security Scanning
Procedures” to “Approved Scanning Vendors
Program Guide” in Part 5.
Added explanation for N/A responses in Part 6.
Minor wording changes for consistency.
Additional
Guidance
General
General
PCI DSS Compliance – Completion Steps
Updated reference to Attestations of Compliance on
the PCI SSC website.
Clarification
General
General
Detailed PCI DSS Requirements and Security
Assessment Procedures
Added clarification that N/A responses are to be
reported in the “In Place” column.
Clarification
1
1
Introductory Paragraph
Minor wording changes for consistency.
Added explanation that other system
components providing firewall functionality must
be treated in accordance with Requirement 1.
Additional
Guidance
1.1.3
1.1.3.a,
1.1.3.b
Testing Procedures
Separated Testing Procedure 1.1.3 into individual
Testing Procedures 1.1.3.a through 1.1.3.b.
Clarification
1.1.5
1.1.5
Requirement
Added examples of insecure services, protocols or
ports.
Additional
Guidance
1.2
1.2
Requirement
Updated requirement to align with testing procedure.
Clarification
1.3
1.3
Testing Procedure
Restructured to clarify intent of procedure.
Clarification
剩余19页未读,继续阅读
资源评论
ShawnLeo
- 粉丝: 0
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功