|
Title: [Article]-PCI DSS 2.0 Fun Facts Post by: don on January 01, 2011, 02:10:13 AM PCI DSS 2.0 is sure to have an impact on 2011, so why not throw out some highlights to get you going. Thanks again to Dr. Chuvakin for his second contribution to EH-Net and hopefully not the last.
Permanent link:[Article]-PCI DSS 2.0 Fun Facts (http://www.ethicalhacker.net/content/view/345/2/) Quote (http://www.ethicalhacker.net/images/stories/features/root/pci-compliance.jpg) (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml) By Dr. Anton Chuvakin @ Security Warrior Consulting Do not think of PCI DSS 2.0, that came out this October, as “PCI DSS 1.3!” Instead, think about is as PCI DSS 1.2.2. Despite the great fanfare, the changes in PCI DSS are small and tactical. Don’t get me wrong, a lot of very useful clarifications, reminders and explanations have been added to the standards – both PCI DSS and PA-DSS. However, a lot of media attention has made it sound as if the PCI Council has “changed everything … again,” and that is simply not the case. Some of the requirements that are frequently seen by merchants as too specific have been made more generic, while some that have received criticism for being too have vaporous, have been tightened down. Let’s go through a few of the interesting changes in PCI DSS and try to predict what the impact would be in the coming year of 2011 as PCI DSS 2.0 is put into practice. Read the full article using the permanent link above, then please leave your feedback below. Don PS - The publilcation date and time for this article is 2011-01-01 01:01:11. All for you Anton!! 8) Title: Re: [Article]-PCI DSS 2.0 Fun Facts Post by: Andrew Waite on January 01, 2011, 06:48:49 AM Nice article Anton.
I'm pleased to see that the standard is maturing, hopefully in a direction that will (at a minimum) increase the baseline security for organisations that implement the requirement rather than just pay it lip service and pray. Especially like the clarifications around both internal scanning and I[D/P]S usage, I think it should make it easier for both admins and security teams to justify some of their activities and requests to those less technical higher up. Finally I'm glad that I'm not the only one that didn't think 2.0 was that large a convergence from it's predecessor, thought I must be missing something. Title: Re: [Article]-PCI DSS 2.0 Fun Facts Post by: hayabusa on January 01, 2011, 09:39:03 AM Dr. Chuvakin, thanks for a good read. Pointing out the changes in PCI DSS, and highlighting some of the key points are always helpful when bringing this information to customers, so it's always good when we can point them to a reference, such as this article, even if only to begin conversations.
I'm pleased with the increased definition of VM technologies, and separating the functionality across multiple VM's. That definitely makes it easier to define roles of said systems, and tighten them down better, as well as helping to validate security on the same systems, without having to analyze multiple systems, per VM (from the customer's perspectives.) As pentesters, we love to have multiple avenues to pursue, but in recommending remediation steps to customers, it gives us greater ability to justify ourselves. And that is a welcome change within the specs. Also, as Andew noted, it's nice to see more clarity on the IDS/IPS side, for many of the same reasons. @Andrew - I agree, I hadn't noticed THAT much change, and was hoping the same, that I wasn't somehow missing something really, glaringly obvious. Glad to see that isn't the case.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |