As you wade through the changes document for PCI DSS 3.1, you may notice that there were a few items mentioned there that are not mentioned in this text. For the sake of brevity, any requirements that had minor clarifications of intent were not included in the text (outside of the Third-Party issue because it needs reinforcing). The owner of the Standard is the PCI Security Standards Council, and all of the official documentation can be downloaded from their website at http://www.pcisecuritystandards.org/. For enforcement issues, check with your acquirer to work through the payment brands. For any interpretation issues, check with your QSA. The Council is not an enforcement arm, they don’t want to see your ROC, and they really don’t provide meaningful guidance.
An example of such a change would be the alteration to the compensating control worksheet completed example. Unix admins and QSAs have surmised that the Council actually meant to include the use of “sudo” not “su” when describing how multiple admins can “share” a root account. You can imagine that a 112-page document is going to have oversights like this—some of which may even exist as long as this one. This is where the feedback process becomes critical for all to participate in, to ensure the Standard is in alignment with the risks we face every day.
PCI DSS 3.1 still leaves many of the same unanswered questions we had in PCI DSS 3.0. There still is no linkage to emerging technology when it comes to the Standard itself—which is especially frustrating when you count the sheer volume of pages the Council produces as guidance. There is no mention of cloud, even though nearly every business is leveraging it in some form or fashion. And mobile is still sort of sticking out there without clear guidance.
Regardless of the editorial, the changes in PCI DSS 3.1 are overall positive on a plusminus scale. We are officially out of the feedback
PCI DSS 3.1. DOI: http://dx.doi.org/10.1016/B978-0-12-804627-2.00006-0 © 2016 Elsevier Inc. All rights reserved.
34 PCI DSS 3.1
period for PCI DSS 3.0, but that doesn’t mean you can’t send the Council your comments. They do read the feedback, so be sure to submit something that is based on fact and is well presented. The more you can provide and give to the Council, the better.
I hope you have enjoyed this review of the changes introduced in PCI DSS 3.1. As always, you can find me at my website at http://www.brandenwilliams.com/ with all of my publications. I’m also typically at the major information security shows and have recently been doing quite a few shows in the payments space. If you have any suggestions for future revisions of this book, drop me a line!
Until next time!