PCI DSS 2.0 "Preview"

August 13, 2010 Debbie Zaller

Yesterday, the PCI Standards Council posted a document highlighting some of the upcoming changes to the PCI DSS. That document can be found here.

The document is a “teaser” to what is expected to be released in the October timeframe. Two of the roughly four pages speak to the standards development process and feedback cycle. In addition, the Council itself notes that the updates" are relatively straightforward and do not introduce significant changes."

In terms of substantive previews, the following are worth noting:

Additional guidance is expected for cardholder environment definition and data flow mapping (i.e. scoping)
Guidance will be provided on virtualization (emanating from the Special Interest Group on this very topic) including how virtual components are defined "in-scope" as well as guidance on specific controls that were traditionally focused on physical hosts.
Updates to requirement 3.6 for key management to provide additional flexibility for new technologies and evolving ways to manage encryption keys.
Updates to vulnerability management and application security to reflect the evolving nature of those topics.

As with the last update, the devil will be in the details. The new standards are expected to be published in October and will become effective for all assessments performed starting in January 2011. At this time, there is no reason to believe that these changes will significantly impact the scope and cost of onsite assessments.

As always, if you have any questions, feel free to visit our PCI Resource Center or contact one of our QSAs .

About the Author

Debbie is Principal and co-owner at Schellman & Company, LLC. She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice. Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee. She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.
More Content by Debbie Zaller

Welcome to our Hub

PCI DSS 2.0 "Preview"

In terms of substantive previews, the following are worth noting:

About the Author

Previous Article

Next Article

PCI DSS 2.0 "Preview"

In terms of substantive previews, the following are worth noting:

About the Author

Previous Article

Next Article

Other content in this Stream

Schellman's Eric Sampson outlines PCI DSS v4.0 and what you should know before considering the customized approach framework

Schellman's David Baca provides an in-depth look at how organizations can use cloud-native tools to meet compliance requirements for PCI DSS

The PCI SSC has published blogs and guidelines for when remote work is necessary, including the Remote Assessments and the Coronavirus blog that focuses on conducting remote PCI Assessments.

Schellman & Company has become one of the first firms in the industry to offer PCI Software Security Framework (SSF) assessments as a Secure Software and a Secure SLC Assessor.

The SSF provides an objectives-based approach to assessing...

The 2019 PCI North America Community Meeting was held in beautiful Vancouver, British Columbia, Canada. The conference provided takeaways for PCI standards plus sneak peeks info PCI DSS v40.

The PCI SSC is preparing to issue a draft version of PCI DSS v4.0. It was apparent early in the presentation that the update to the PCI DSS is going to be the largest change since v3.0 in 2013.

Security Boulevard recently published a list of valuable PCI DSS compliance tips which Schellman's team of QSAs reviewed and have offered insight and commentary on.

Schellman & Company has become a Qualified PIN Assessor (QPA) for the PCI PIN Security Program.

Introduction Welcome! In the upcoming series of articles (this is Part 1), I’ll be discussing some things to consider if you want to use Kubernetes to host an application that is...

A fresh new release of the PCI SSC's flagship security standard PCI-DSS v 3.2.1

Schellman is pleased to announce that it will join the newly founded Global Executive Assessor Roundtable, the advisory group of senior executives at assessor companies for the payment...

Schellman & Company, LLC, a leading provider of attestation and compliance services, has become an assessor in the PCI Security Standards Council’s new 3-D Secure (3DS) program, and can...

There are some important PCI DSS deadlines coming up. Let’s start with the SSL/early TLS migration. Why is it important for organizations to migrate away from SSL/TLS?

Well over a year ago, the PCI Standards Council announced, in addition to other requirements, that a PCI charter would now be required for service providers after January 31, 2018. Few...

As a follow-up to the "What 2018 Means for Your PCI DSS Assessment" article I posted, a client of mine had a great question regarding the future date for the semi-annual segmentation...

Some of you may have just read the blog title and believe I made a typo on the year, but no, I am here to talk about PCI DSS in 2018. I know it seems crazy to be discussing 2018, as we...