August 16, 2010

PCI Ninja Analysis: PCI DSS 2.0

The PCI Ninja is just like you, except he is a PCI SSC QSA and a CISSP. And he
has a ninja outfit. Other than that, he’s just a regular guy trying to help you get
business done without PCI interfering.

Are you ready for the most sweeping change to PCI DSS since it came over from Visa’s CISP program?

Finally, after years of waiting and certainly hundreds of conversations with stakeholders and the card brands, the PCI SSC has release the highlights of the long-anticipated PCI DSS 2.0.

It’s fairly widely recognized that the PCI DSS is in need of an update. A few “wish list” items from this PCI ninja was hoping for:

  • Various Levels of Scope. Rather than systems being “in-scope” or “out-of-scope,” the allowance for variations in scope based on risk. For example, Mabel’s Windows Vista workstation that is used to access a website to enter cardholder information, one card at a time, is technically “transmitting” cardholder data, but shouldn’t necessarily bear the full brunt of PCI DSS (e.g., change control, file integrity monitoring). Systems that store 2 million PANs would have much higher requirements than those that simply transmitted an encrypted PAN every now and again.
  • Different Requirements Based on Merchant Level. Instead of the current approach, which is “all requirements apply to all merchant levels,” a more realistic approach that allows Level 4 merchants to focus on high-impact areas and not have to lie on their Self-Assessment Questionnaires. Finally, the deli down the street could stop spending so much time pre-testing Windows Update patches in their segmented test environment and Tony could stop filling out change control forms instead of getting my soup!
  • Control Objectives instead of Controls. Rather than dictate exact control procedures, such as “[Visitors] asked to surrender the physical token before leaving the facility or at the date of expiration.” (9.3.3), statements of control objectives, such as “Precautions in place to prevent visitors from re-entering without being re-authorized.” This would allow organizations to implement controls based on their business realities instead of what the PCI SSC imagines their business reality may be. That way, I don’t have to put a compensating control in place to explain why my client’s self-destructing badges are sufficient protection.

…believe me, I had many more items on my wish list, but those three I was definitely looking forward to seeing in the much-improved PCI DSS 2.0.

So you can imagine my excitement when I heard that the PCI SSC was releasing their “highlights” document to give me a glimpse at the awesomely revised requirements.

I was drinking my morning coffee and checking out the latest tweets, while periodically throwing knives with extreme precision at the cardboard cutouts of Russian credit card thieves I have in my home office, when I saw the tweet that promised to change my life: “PCI SSC releases PCI 2.0 Highlights.”

In my excitement, I threw my coffee at Vladimir the Carder and swallowed a small throwing knife. Finally, all these years! Ever since I read “The Secret,” I knew that if I just visualized PCI DSS 2.0 every night, it would finally come to pass. And now, here it is…Russo be praised!

With a trembling hand, I moved my mouse over the link and clicked.

“This document from the PCI Security Standards Council (PCI SSC) is designed to provide a transparent runway to the introduction of the new versions of PCI Data Security Standard (PCI DSS)…”

…stop teasing me! Tell me what the changes are! I quickly skimmed through meta-meta-explanation paragraphs about the structure of the structure of the structure of the changes, until my eyes stopped, dead cold, on:

“Stakeholders will notice that the changes to PCI DSS 2.0 and PA-DSS 2.0 are relatively straightforward and do not introduce significant changes.”

…wait, what? Ohhhh, silly PCI SSC. They must be just being modest. Those guys!

The smile on my face quickly faded as I read through the table listing each change…”ensure all locations of cardholder data are included in scope”…”clarify applicability of PCI DSS to Issuers”…”clarify key management processes”….”merge 6.3.1 and 6.5”…then, Conclusion. WHAT???

A flurry of thoughts raced through my head like a netadmin alt-tabbing to find a window that has something work-related on it:

“No, this can’t be happening, I thought. It must be a mistake…I must have clicked on the wrong link!”

“I DID click the right link. What is going on? Where are my changes? Where is the scope conversation? I didn’t spend all this time envisioning to end up with this point release! Now we have to wait three years for another change!!??”

“OK, this can be fixed…maybe if I just called them, and explained that they really need to make some adjustments to the DSS, they would do it! I could show them my wall-climbing skills as proof that I know what I’m doing.”

“What a day. Why do I even do this? I should just give up and let Vladimir and Pavil have the card numbers. Where is my seppuku knife?”

Finally, my stages of DSS grief came to a close and I came to terms with my fate. This is how it is, and I can’t change it. PCI DSS will stay the way it is for the next three years and we should all make peace.