Yesterday the Payment Card Industry (PCI) Security Standards Council (SSC) published two new versions of existing data security standards (DSSs).
The PCISSC have a fixed cycle for review and publication of its standards, and some information about the new PCI DSS v3 and Payment Application (PA) DSS v3 was announced in August.
There is plenty of discussion elsewhere about the new standards, so I thought I would focus on the PCI DSS changes in Requirement 6 (Develop and Maintain Secure Systems and Applications):
- 6.1 & 6.2 Switched the order of requirements 6.1 and 6.2. Requirement 6.1 is now for identifying and risk ranking new vulnerabilities and 6.2 is for patching critical vulnerabilities. Clarified how risk ranking process (6.1) aligns with patching process (6.2) and also clarified that the latter applies to "applicable" patches.
- 6.3 Added a note to clarify that the requirement for written software development processes applies to all internally- developed software and bespoke software, and now mentions "industry standards" as well as "industry best practice".
- 6.3.1 Added "development/test accounts" to "custom accounts" to clarify intent of requirement
- 6.4 & 6.4.1-6.4.4 Enhanced, more specific, testing procedures to include document reviews for all requirements.
- 6.4.1 Aligned language between requirement and testing procedures to clarify that separation of production/ development environments is enforced with access controls.
- 6.5 Updated developer training to include how to avoid common coding vulnerabilities, and to understand how sensitive data is handled in memory.
- 6.5.x Updated requirements to reflect current and emerging coding vulnerabilities and secure coding guidelines. Updated testing procedures to clarify how the coding techniques address the vulnerabilities.
- 6.5.10 New requirement for coding practices to protect against broken authentication and session management.
- 6.6 Increased flexibility by specifying automated technical solution that detects and prevents web-based attacks rather than "web-application firewall." Added note to clarify that this assessment is not the same as vulnerability scans required at 11.2.
A more specific requirement for coding practices around handling of cardholder data in memory does not seem to have been included except for the change to 6.5 described above for developer training to understand how sensitive cardholder data is handled in memory.
There is no urgent rush. Whilst it is possible to assess compliance using v3.0 from 1st January 2014, there is no obligation to do so until after 31st December 2014 when v2.0 is withdrawn. Also note that of the above items, requirement 6.5.10 is only a best practice until 30 June 2015, after which it becomes a requirement. Related supporting documentation such as updated Self-Assessment Questionnaires (SAQs), Attestations of Compliance (AOCs) and reporting templates will not be available until early next year.
PCI DSS v3.0 and PA-DSS v3.0 can be downloaded from the PCISSC document library (terms agreement required), together with corresponding summaries of changes from the current versions (v2.0).