Document Comparison
PCI_DSS_v3_Summary_of_Changes.pdf
→
PCI_DSS_v3-1_Summary_of_Changes.pdf
12% similar
12 → 5
Pages
3761 → 1204
Words
14
Content Changes
Content Changes
14 content changes. 12 administrative changes (dates, page numbers) hidden.
Added
p. 3
Table 2: Summary of Changes Change Type1 PCI DSS v3.0 PCI DSS v3.1 All All Addressed minor typographical errors (grammar, punctuation, formatting, etc.) and incorporated minor updates for readability throughout the document.
Clarification Introduction Introduction Changed reference from “protecting cardholder data” to “protecting account data”.
Clarification Introduction Introduction Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
Clarification Introduction Introduction Changed reference from “personally identifiable information” to “personal information”.
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”.
PCI DSS Applicability Information Removed reference to “environments” to clarify applicability at the organization level rather than the system level.
Clarification Scope of PCI DSS Requirements Scope of PCI DSS Requirements Aligned with language used earlier in the same section regarding steps for confirming accuracy of the defined CDE.
Clarification Use of Third Party Service Providers / Outsourcing Use of Third Party Service Providers / Outsourcing Clarified that validation processes …
Clarification Introduction Introduction Changed reference from “protecting cardholder data” to “protecting account data”.
Clarification Introduction Introduction Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
Clarification Introduction Introduction Changed reference from “personally identifiable information” to “personal information”.
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”.
PCI DSS Applicability Information Removed reference to “environments” to clarify applicability at the organization level rather than the system level.
Clarification Scope of PCI DSS Requirements Scope of PCI DSS Requirements Aligned with language used earlier in the same section regarding steps for confirming accuracy of the defined CDE.
Clarification Use of Third Party Service Providers / Outsourcing Use of Third Party Service Providers / Outsourcing Clarified that validation processes …
Added
p. 4
• 3.2.3 Clarified in requirements that storage of sensitive authentication data is not permitted “after authorization”.
Clarification 3.4 3.4 Clarified in requirement note that additional controls are required if hashed and truncated versions of the same PAN are present in an environment. Added Testing Procedure 3.4.e to assist with validation of the Note. Clarified intent of “truncation” in Guidance Column.
Clarification 3.5.2 3.5.2 Clarified that “HSM” may refer to a “Hardware” or “Host” Security Module. Aligned with language in PCI PTS.
Clarification 3.6 3.6 Clarified that Testing Procedure 3.6.a only applies if the entity being assessed is a service provider.
Clarification 4.1 4.1 Removed SSL as an example of a secure technology and added a note to the requirement. See explanation above at 2.2.3.
Evolving Requirement 4.1.1 4.1.1 Updated testing procedure to recognize all versions of SSL as examples of weak encryption.
Evolving Requirement 4.2 4.2 Included SMS as an example of end-user messaging technology and …
Clarification 3.4 3.4 Clarified in requirement note that additional controls are required if hashed and truncated versions of the same PAN are present in an environment. Added Testing Procedure 3.4.e to assist with validation of the Note. Clarified intent of “truncation” in Guidance Column.
Clarification 3.5.2 3.5.2 Clarified that “HSM” may refer to a “Hardware” or “Host” Security Module. Aligned with language in PCI PTS.
Clarification 3.6 3.6 Clarified that Testing Procedure 3.6.a only applies if the entity being assessed is a service provider.
Clarification 4.1 4.1 Removed SSL as an example of a secure technology and added a note to the requirement. See explanation above at 2.2.3.
Evolving Requirement 4.1.1 4.1.1 Updated testing procedure to recognize all versions of SSL as examples of weak encryption.
Evolving Requirement 4.2 4.2 Included SMS as an example of end-user messaging technology and …
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 3.0 to 3.1
Modified
p. 2
Table 1: Change Types Change Type Definition Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
Table 1: Change Types 1Change Type Definition Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
Removed
p. 3
Table 2: Summary of Changes Change Type PCI DSS v2.0 PCI DSS v3.0
PCI DSS Applicability Information Clarified that SAD must not be stored after authorization even if there is no PAN in the environment. Clarification Relationship between PCI DSS and PA- DSS Relationship between PCI DSS and PA- DSS Clarified that all applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, even if PA-DSS validated. Clarified PCI DSS applicability to payment application vendors.
Clarification Scope of Assessment for Compliance with PCI DSS Requirements Scope of PCI DSS Requirements Added examples of system components, and added guidance about how to accurately determine the scope of the assessment. Clarified the intent of segmentation. Clarified responsibilities of both the third party and their customers for scoping and coverage of PCI DSS requirements, and clarified the evidence that third parties are expected to provide for their customers …
PCI DSS Applicability Information Clarified that SAD must not be stored after authorization even if there is no PAN in the environment. Clarification Relationship between PCI DSS and PA- DSS Relationship between PCI DSS and PA- DSS Clarified that all applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, even if PA-DSS validated. Clarified PCI DSS applicability to payment application vendors.
Clarification Scope of Assessment for Compliance with PCI DSS Requirements Scope of PCI DSS Requirements Added examples of system components, and added guidance about how to accurately determine the scope of the assessment. Clarified the intent of segmentation. Clarified responsibilities of both the third party and their customers for scoping and coverage of PCI DSS requirements, and clarified the evidence that third parties are expected to provide for their customers …
Removed
p. 4
Additional For the security policies and daily operational procedures (formerly requirements 12.1.1 and 12.2), assigned a new requirement number and moved requirements and testing procedures into each of Requirements 1-11.
Clarification Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant or overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement. Clarification Other general editing changes include:
Removed the following columns: “In Place”, “Not in Place” and “Target Date/Comments”.
Renumbered requirements and testing procedures to accommodate changes Reformatted requirements and testing procedures for readability
• e.g. content from paragraph reformatted to bullet points, etc.
Made minor wording changes throughout for readability Corrected typographical errors Requirement Change Type
PCI DSS v2.0 PCI DSS v3.0
Requirement 1 1.1.x 1.1.x Clarified that firewall and router standards have to be both documented and implemented. Clarification …
Clarification Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant or overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement. Clarification Other general editing changes include:
Removed the following columns: “In Place”, “Not in Place” and “Target Date/Comments”.
Renumbered requirements and testing procedures to accommodate changes Reformatted requirements and testing procedures for readability
• e.g. content from paragraph reformatted to bullet points, etc.
Made minor wording changes throughout for readability Corrected typographical errors Requirement Change Type
PCI DSS v2.0 PCI DSS v3.0
Requirement 1 1.1.x 1.1.x Clarified that firewall and router standards have to be both documented and implemented. Clarification …
Removed
p. 5
Requirement 2 Clarified that requirement for changing vendor default passwords applies to all default passwords, including systems, applications, security software, terminals, etc. and that unnecessary default accounts are removed or disabled.
Clarification 2.1.1 2.1.1 Clarified that the intent of the requirement is for all wireless vendor defaults to be changed at installation. Clarification Clarified that system configuration standards include procedures for changing of all vendor-supplied defaults and unnecessary default accounts.
Clarification 2.2.2 2.2.2 2.2.3 Split requirement at 2.2.2 into two requirements to focus separately on necessary services, protocols and ports (2.2.2), and secure services, protocols, and ports (2.2.3).
Clarification New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards.
Requirement 3 3.1 3.1.1 3.1 Combined requirement 3.1.1 and testing procedures into requirement 3.1 to clarify and reduce redundancy. Clarification Clarified, if sensitive authentication data is received, that it is rendered unrecoverable upon completion of …
Clarification 2.1.1 2.1.1 Clarified that the intent of the requirement is for all wireless vendor defaults to be changed at installation. Clarification Clarified that system configuration standards include procedures for changing of all vendor-supplied defaults and unnecessary default accounts.
Clarification 2.2.2 2.2.2 2.2.3 Split requirement at 2.2.2 into two requirements to focus separately on necessary services, protocols and ports (2.2.2), and secure services, protocols, and ports (2.2.3).
Clarification New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards.
Requirement 3 3.1 3.1.1 3.1 Combined requirement 3.1.1 and testing procedures into requirement 3.1 to clarify and reduce redundancy. Clarification Clarified, if sensitive authentication data is received, that it is rendered unrecoverable upon completion of …
Modified
p. 5 → 3
Clarification General General Updated language in requirements and/or testing procedures for consistency.
Removed
p. 6
PCI DSS v2.0 PCI DSS v3.0 3.5.2 3.5.2 3.5.3 Split requirement 3.5.2 into two requirements to focus separately on storing cryptographic keys in a secure form (3.5.2), and in the fewest possible locations (3.5.3). Requirement 3.5.2 also provides flexibility with more options for secure storage of cryptographic keys.
Clarification 3.6.x 3.6.x Added testing procedures to verify implementation of cryptographic key management procedures. Clarification 3.6.6 3.6.6 Clarified principles of split knowledge and dual control. Clarification
Requirement 4 Aligned language between requirement and testing procedures for consistency. Also expanded the examples of open, public networks.
Requirement 5 - General Title updated to reflect intent of the requirement (to protect all systems against malware). Clarification New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software.
Evolving Requirement 5.2 5.2 Aligned language between requirement and testing procedures for consistency. Clarification New requirement to ensure that anti-virus solutions are actively …
Clarification 3.6.x 3.6.x Added testing procedures to verify implementation of cryptographic key management procedures. Clarification 3.6.6 3.6.6 Clarified principles of split knowledge and dual control. Clarification
Requirement 4 Aligned language between requirement and testing procedures for consistency. Also expanded the examples of open, public networks.
Requirement 5 - General Title updated to reflect intent of the requirement (to protect all systems against malware). Clarification New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software.
Evolving Requirement 5.2 5.2 Aligned language between requirement and testing procedures for consistency. Clarification New requirement to ensure that anti-virus solutions are actively …
Removed
p. 7
PCI DSS v2.0 PCI DSS v3.0 6.4 6.4 Enhanced testing procedures to include document reviews for all requirements at 6.4.1 through 6.4.4. Clarification 6.4.1 6.4.1 Aligned language between requirement and testing procedures to clarify that separation of production/ development environments is enforced with access controls.
Clarification Updated developer training to include how to avoid common coding vulnerabilities, and to understand how sensitive data is handled in memory.
Clarification 6.5.x 6.5.x Updated requirements to reflect current and emerging coding vulnerabilities and secure coding guidelines. Updated testing procedures to clarify how the coding techniques address the vulnerabilities.
Clarification New requirement for coding practices to protect against broken authentication and session management. Effective July 1, 2015 Evolving Requirement Increased flexibility by specifying automated technical solution that detects and prevents web-based attacks rather than “web-application firewall.” Added note to clarify that this assessment is not the same as vulnerability scans required at 11.2.
Requirement 7 Reworded testing procedure …
Clarification Updated developer training to include how to avoid common coding vulnerabilities, and to understand how sensitive data is handled in memory.
Clarification 6.5.x 6.5.x Updated requirements to reflect current and emerging coding vulnerabilities and secure coding guidelines. Updated testing procedures to clarify how the coding techniques address the vulnerabilities.
Clarification New requirement for coding practices to protect against broken authentication and session management. Effective July 1, 2015 Evolving Requirement Increased flexibility by specifying automated technical solution that detects and prevents web-based attacks rather than “web-application firewall.” Added note to clarify that this assessment is not the same as vulnerability scans required at 11.2.
Requirement 7 Reworded testing procedure …
Removed
p. 8
PCI DSS v2.0 PCI DSS v3.0
Requirement 8 - General Title updated to reflect intent of the requirement (identify and authenticate all access to system components). Updated and reorganized requirements to provide a more holistic approach to user authentication and identification:
Focused 8.1 on user identification Focused 8.2 on user authentication Updated requirements to consider methods of authentication other than passwords Changed “passwords” to “passwords/phrases” where requirement only applies to passwords/phrases Changed “passwords” to “authentication credentials” where requirement applies to any type of authentication credential Clarified that password security requirements apply to accounts used by third party vendors Clarification 8.5.6 8.1.5 Clarified the requirement for remote vendor access applies to vendors who access, support or maintain system components, and that it should be disabled when not in use.
Clarification 8.4.2 8.2.1 Clarified that strong cryptography must be used to render authentication credentials unreadable during transmission and storage.
Clarification …
Requirement 8 - General Title updated to reflect intent of the requirement (identify and authenticate all access to system components). Updated and reorganized requirements to provide a more holistic approach to user authentication and identification:
Focused 8.1 on user identification Focused 8.2 on user authentication Updated requirements to consider methods of authentication other than passwords Changed “passwords” to “passwords/phrases” where requirement only applies to passwords/phrases Changed “passwords” to “authentication credentials” where requirement applies to any type of authentication credential Clarified that password security requirements apply to accounts used by third party vendors Clarification 8.5.6 8.1.5 Clarified the requirement for remote vendor access applies to vendors who access, support or maintain system components, and that it should be disabled when not in use.
Clarification 8.4.2 8.2.1 Clarified that strong cryptography must be used to render authentication credentials unreadable during transmission and storage.
Clarification …
Removed
p. 9
PCI DSS v2.0 PCI DSS v3.0 New requirement where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism.
Evolving Requirement 8.5.16 8.7 Aligned language between requirement and testing procedures for consistency. Clarification
Requirement 9 9.1.2 9.1.2 Clarified intent of the requirement is to implement physical and/or logical access controls to protect publically- accessible network jacks.
Clarification 9.2.x 9.2.x Clarified the intent of the requirement to identify, distinguish between, and grant access to onsite personnel and visitors, and that badges are just one option (they are not required).
Clarification New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Evolving Requirement 9.3.x 9.4.x Aligned language between requirement and testing procedures for consistency and …
Evolving Requirement 8.5.16 8.7 Aligned language between requirement and testing procedures for consistency. Clarification
Requirement 9 9.1.2 9.1.2 Clarified intent of the requirement is to implement physical and/or logical access controls to protect publically- accessible network jacks.
Clarification 9.2.x 9.2.x Clarified the intent of the requirement to identify, distinguish between, and grant access to onsite personnel and visitors, and that badges are just one option (they are not required).
Clarification New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Evolving Requirement 9.3.x 9.4.x Aligned language between requirement and testing procedures for consistency and …
Removed
p. 10
PCI DSS v2.0 PCI DSS v3.0 10.2.5 10.2.5 Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions and deletions to accounts with root or administrative access.
Evolving Requirement 10.2.6 10.2.6 Enhanced requirement to include stopping or pausing of the audit logs.
Evolving Requirement 10.6 10.6.x Clarified the intent of log reviews is to identify anomalies or suspicious activity, and provided more guidance about scope of daily log reviews. Also allowed more flexibility for review of security events and critical system logs daily and other logs events periodically, as defined by the entity’s risk management strategy.
Requirement 11 11.1.x 11.1.x Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an already- existing testing procedure, for incident response procedures if …
Evolving Requirement 10.2.6 10.2.6 Enhanced requirement to include stopping or pausing of the audit logs.
Evolving Requirement 10.6 10.6.x Clarified the intent of log reviews is to identify anomalies or suspicious activity, and provided more guidance about scope of daily log reviews. Also allowed more flexibility for review of security events and critical system logs daily and other logs events periodically, as defined by the entity’s risk management strategy.
Requirement 11 11.1.x 11.1.x Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an already- existing testing procedure, for incident response procedures if …
Removed
p. 11
PCI DSS v2.0 PCI DSS v3.0 11.3 11.3.3 New requirement created from former testing procedure (11.3.b) to correct exploitable vulnerabilities found during penetration testing and repeat testing to verify corrections.
Clarification New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective.
Evolving Requirement Increased flexibility by specifying intrusion-detection and/or intrusion prevention techniques to detect and/or prevent intrusions in the network rather than “intrusion-detection systems and/or intrusion-prevention systems.” Clarification 11.5 11.5 Increased flexibility by specifying change detection mechanism rather than “file integrity monitoring.” Clarification New requirement to implement a process to respond to any alerts generated by the change-detection mechanism (supports 11.5) Evolving Requirement
Requirement 12 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, 9.10, 10.8, 11.6 Combined former requirements at 12.1.1 (for the information security policy to address all PCI DSS requirements) and 12.2 (for operational …
Clarification New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective.
Evolving Requirement Increased flexibility by specifying intrusion-detection and/or intrusion prevention techniques to detect and/or prevent intrusions in the network rather than “intrusion-detection systems and/or intrusion-prevention systems.” Clarification 11.5 11.5 Increased flexibility by specifying change detection mechanism rather than “file integrity monitoring.” Clarification New requirement to implement a process to respond to any alerts generated by the change-detection mechanism (supports 11.5) Evolving Requirement
Requirement 12 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, 9.10, 10.8, 11.6 Combined former requirements at 12.1.1 (for the information security policy to address all PCI DSS requirements) and 12.2 (for operational …