[Article]-PCI DSS 2.0 Fun Facts



User avatar


Posts: 4270

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sat Jan 01, 2011 3:10 am

[Article]-PCI DSS 2.0 Fun Facts

PCI DSS 2.0 is sure to have an impact on 2011, so why not throw out some highlights to get you going. Thanks again to Dr. Chuvakin for his second contribution to EH-Net and hopefully not the last.

Permanent link:[Article]-PCI DSS 2.0 Fun Facts


By Dr. Anton Chuvakin @ Security Warrior Consulting

Do not think of PCI DSS 2.0, that came out this October, as “PCI DSS 1.3!”

Instead, think about is as PCI DSS 1.2.2.  Despite the great fanfare, the changes in PCI DSS are small and tactical.  Don’t get me wrong, a lot of very useful clarifications, reminders and explanations have been added to the standards – both PCI DSS and PA-DSS.  However, a lot of media attention has made it sound as if the PCI Council has “changed everything … again,” and that is simply not the case.  Some of the requirements that are frequently seen by merchants as too specific have been made more generic, while some that have received criticism for being too have vaporous, have been tightened down.

Let’s go through a few of the interesting changes in PCI DSS and try to predict what the impact would be in the coming year of 2011 as PCI DSS 2.0 is put into practice.

Read the full article using the permanent link above, then please leave your feedback below.


PS - The publilcation date and time for this article is 2011-01-01 01:01:11. All for you Anton!!  8)
Last edited by don on Sat Jan 01, 2011 3:15 am, edited 1 time in total.


User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat Jan 01, 2011 7:48 am

Re: [Article]-PCI DSS 2.0 Fun Facts

Nice article Anton.

I'm pleased to see that the standard is maturing, hopefully in a direction that will (at a minimum) increase the baseline security for organisations that implement the requirement rather than just pay it lip service and pray.

Especially like the clarifications around both internal scanning and I[D/P]S usage, I think it should make it easier for both admins and security teams to justify some of their activities and requests to those less technical higher up.

Finally I'm glad that I'm not the only one that didn't think 2.0 was that large a convergence from it's predecessor, thought I must be missing something.


User avatar

Hero Member
Hero Member

Posts: 1718

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jan 01, 2011 10:39 am

Re: [Article]-PCI DSS 2.0 Fun Facts

Dr. Chuvakin, thanks for a good read.  Pointing out the changes in PCI DSS, and highlighting some of the key points are always helpful when bringing this information to customers, so it's always good when we can point them to a reference, such as this article, even if only to begin conversations.

I'm pleased with the increased definition of VM technologies, and separating the functionality across multiple VM's.  That definitely makes it easier to define roles of said systems, and tighten them down better, as well as helping to validate security on the same systems, without having to analyze multiple systems, per VM (from the customer's perspectives.)  As pentesters, we love to have multiple avenues to pursue, but in recommending remediation steps to customers, it gives us greater ability to justify ourselves.  And that is a welcome change within the specs.

Also, as Andew noted, it's nice to see more clarity on the IDS/IPS side, for many of the same reasons.

@Andrew - I agree, I hadn't noticed THAT much change, and was hoping the same, that I wasn't somehow missing something really, glaringly obvious.  Glad to see that isn't the case.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved."
- Sun Tzu, 'The Art of War'

OSCE, OSCP (Former - GPEN, C|EH - both expiring / expired)

Return to /root

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software