Summary of Changes from PCI DSS Version 1.2.1 to 2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC Page 3 of 20
Scope of Assessment for Compliance with PCI
DSS Requirements
Added “virtualization components” to the
definition of “system components.”
Clarified that the cardholder data environment is
comprised of “people, processes and
technology that store, process, or transmit
cardholder data or sensitive authentication
data.”
Scope of Assessment for Compliance with PCI
DSS Requirements
Added detailed paragraph to clarify that the first step
of a PCI DSS review is to accurately determine the
scope of the assessment, by identifying all locations
and flows of cardholder data and ensuring that all
such locations are included in the assessment.
Network Segmentation
Added clarifications including that segmentation
may be achieved through physical or logical
means.
Minor replacements to some wording to clarify
meaning.
Wireless
Clarified focus on presence of a WLAN rather than a
LAN.
Third Parties/Outsourcing
Minor changes to terminology for consistency.
Sampling of Business Facilities and System
Components
Clarified that sampling is conducted
independently by the assessor and that
sampling must first be performed for business
facilities and then for system components within
each selected facility.
Clarified that sampling does not reduce the
scope of the cardholder data environment or the
applicability of PCI DSS, and that sampling of
the individual PCI DSS requirements is not
permitted.
Clarified specific criteria that assessors must
document when using sampling. Added criteria
that assessors must revalidate the sampling
rationale for each assessment.
