Document Comparison
pci_pa-dss_v2_summary_of_changes.pdf
→
PA-DSS_v3_Summary_of_Changes.pdf
3% similar
10 → 9
Pages
2852 → 2250
Words
21
Content Changes
Content Changes
21 content changes. 11 administrative changes (dates, page numbers) hidden.
Added
p. 3
Table 2: Summary of Changes Change Type PA-DSS v2.0 PA-DSS v3.0 Introduction Introduction Purpose of This Document Clarified purpose and use of the document and included reference to PA-DSS ROV Reporting Template.
Clarification Relationship between PCI DSS and PA-DSS Added clarification that PA-DSS applications are in scope for an organization’s PCI DSS assessment.
PCI DSS Applicability Information Relocated section and
• Removed some PCI DSS language that is not applicable to PA-DSS.
Clarification Scope of PA- DSS Scope of PA- DSS Removed information about which payment applications are eligible for PA-DSS. Information on PA-DSS eligibility can be found in the PA-DSS Program Guide.
Clarification Roles and Responsibilities Information regarding relevant stakeholders and their PA-DSS roles and responsibilities has been removed as it is included in the PA-DSS Program Guide.
Clarification PA-DSS Implementation Guide PA-DSS Implementatio n Guide Provided more guidance on the PA-DSS Implementation Guide and clarified the PA-QSA’s role.
Additional Instructions and Content for Report on …
Clarification Relationship between PCI DSS and PA-DSS Added clarification that PA-DSS applications are in scope for an organization’s PCI DSS assessment.
PCI DSS Applicability Information Relocated section and
• Removed some PCI DSS language that is not applicable to PA-DSS.
Clarification Scope of PA- DSS Scope of PA- DSS Removed information about which payment applications are eligible for PA-DSS. Information on PA-DSS eligibility can be found in the PA-DSS Program Guide.
Clarification Roles and Responsibilities Information regarding relevant stakeholders and their PA-DSS roles and responsibilities has been removed as it is included in the PA-DSS Program Guide.
Clarification PA-DSS Implementation Guide PA-DSS Implementatio n Guide Provided more guidance on the PA-DSS Implementation Guide and clarified the PA-QSA’s role.
Additional Instructions and Content for Report on …
Added
p. 4
Additional Updated requirements and/or testing procedures to reflect PCI DSS changes, where a PA- DSS requirement aligns with a PCI DSS requirement.
As defined in Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant / overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement, including:
Installing the application per the PA-DSS Implementation Guide to verify accuracy of Implementation Guide instructions.
Clarification Other general editing changes include:
Removed the following columns: “In Place,” “Not in Place,” and “Target Date/Comments.” Renumbered requirements and testing procedures to accommodate changes.
• Reformatted requirements and testing procedures for readability
•e.g., content from paragraph
• reformatted to bullet points, etc.
Made minor wording changes throughout for readability.
Corrected typographical errors.
Requirement 1
• General Title updated for consistency, to replace “magnetic stripe” with “track data.” Clarification 1.1.c 1.1.1
• 1.1.3 Removed …
As defined in Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant / overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement, including:
Installing the application per the PA-DSS Implementation Guide to verify accuracy of Implementation Guide instructions.
Clarification Other general editing changes include:
Removed the following columns: “In Place,” “Not in Place,” and “Target Date/Comments.” Renumbered requirements and testing procedures to accommodate changes.
• Reformatted requirements and testing procedures for readability
•e.g., content from paragraph
• reformatted to bullet points, etc.
Made minor wording changes throughout for readability.
Corrected typographical errors.
Requirement 1
• General Title updated for consistency, to replace “magnetic stripe” with “track data.” Clarification 1.1.c 1.1.1
• 1.1.3 Removed …
Added
p. 5
Evolving Requirement 2.6.x 2.5.x Updated testing procedures to clarify key-management techniques must be properly tested. Clarification Updated to clarify that application vendor should provide a mechanism for removing cryptographic key material, if the current or previous versions used cryptographic key materials or cryptograms.
Requirement 3 3.1 3.1 Moved note from former Testing Procedure 3.1.d to Requirement 3.1. Clarification
• 3.1.c 3.1.1 New requirements created from former Testing Procedures 3.1.b
• 3.1.c to ensure that changing of default passwords is enforced by the application and appropriately validated.
Clarification 3.1.4 3.1.7 Moved requirement to 3.1.7 for better organization of requirements. Clarification 3.1.6
• 3.1.7 3.1.6 Combined password complexity requirements to align with PCI DSS v3.0 and provide flexibility for other password-composition alternatives that meet the minimum strength requirement.
Clarification 3.3 3.3.1
• 3.3.2 Split requirement 3.3 into two requirements to focus separately on transmitted passwords (3.3.1) and stored passwords (3.3.2). Updated 3.3.2 to require use of a strong one-way …
Requirement 3 3.1 3.1 Moved note from former Testing Procedure 3.1.d to Requirement 3.1. Clarification
• 3.1.c 3.1.1 New requirements created from former Testing Procedures 3.1.b
• 3.1.c to ensure that changing of default passwords is enforced by the application and appropriately validated.
Clarification 3.1.4 3.1.7 Moved requirement to 3.1.7 for better organization of requirements. Clarification 3.1.6
• 3.1.7 3.1.6 Combined password complexity requirements to align with PCI DSS v3.0 and provide flexibility for other password-composition alternatives that meet the minimum strength requirement.
Clarification 3.3 3.3.1
• 3.3.2 Split requirement 3.3 into two requirements to focus separately on transmitted passwords (3.3.1) and stored passwords (3.3.2). Updated 3.3.2 to require use of a strong one-way …
Added
p. 7
Requirement 6 Reorganized requirements to clarify controls that apply to all applications and controls that apply only where wireless is provided or intended for use with the payment application. New Requirement 6.3 created from former Testing Procedure 6.2.b.
Requirement 7
• General Title updated to reflect intent of requirement (to address vulnerabilities and maintain application updates).
Clarification 7.1 7.1.1
• 7.1.3 Split into separate requirements and required use of “reputable” sources for security vulnerability information.
Clarification 7.2 7.2.1
• 7.2.2 Split into separate requirements. Clarification 7.3 New requirement for the application vendor to provide release notes for all application updates.
Requirement 8 8.1 8.1 Expanded example to clarify intent of requirement. Clarification Moved requirement from 5.4 to align with other requirements that facilitate a secure PCI DSS environment.
Clarification Moved requirement from 10.1 to align with other requirements that facilitate a secure PCI DSS environment.
Requirement 9 Added language to clarify the intent of requirement that web servers and …
Requirement 7
• General Title updated to reflect intent of requirement (to address vulnerabilities and maintain application updates).
Clarification 7.1 7.1.1
• 7.1.3 Split into separate requirements and required use of “reputable” sources for security vulnerability information.
Clarification 7.2 7.2.1
• 7.2.2 Split into separate requirements. Clarification 7.3 New requirement for the application vendor to provide release notes for all application updates.
Requirement 8 8.1 8.1 Expanded example to clarify intent of requirement. Clarification Moved requirement from 5.4 to align with other requirements that facilitate a secure PCI DSS environment.
Clarification Moved requirement from 10.1 to align with other requirements that facilitate a secure PCI DSS environment.
Requirement 9 Added language to clarify the intent of requirement that web servers and …
Added
p. 8
Evolving Requirement 10.3.2 10.2.3 Updated to clarify that requirement applies to all types of remote access. Clarification
Requirement 11 Minor updates to provide additional clarity and align with PCI DSS.
Requirement 12 12.1 12.1 12.2 Reorganized requirements to clarify controls that apply to all applications and controls that apply only where the payment application facilitates non-console administrative access.
Requirement 13
• General
• changed to focus on requirements for the PA-DSS Implementation Guide. Requirements for instructional documentation and training programs
• moved to new Requirement 14.
Clarification New requirement to validate that the PA-DSS Implementation Guide is specific to the application and version(s) being assessed.
Clarification 13.1.3 13.1.3 Clarified intent that the PA-DSS Implementation Guide should be reviewed and updated whenever the application or PA-DSS requirements change.
Requirement 14
• General See “General
• 13 above.” New requirement to focus on instructional documentation and training programs, including internal training for vendor personnel with PA-DSS responsibilities.
Clarification New requirement for providing information security …
Requirement 11 Minor updates to provide additional clarity and align with PCI DSS.
Requirement 12 12.1 12.1 12.2 Reorganized requirements to clarify controls that apply to all applications and controls that apply only where the payment application facilitates non-console administrative access.
Requirement 13
• General
• changed to focus on requirements for the PA-DSS Implementation Guide. Requirements for instructional documentation and training programs
• moved to new Requirement 14.
Clarification New requirement to validate that the PA-DSS Implementation Guide is specific to the application and version(s) being assessed.
Clarification 13.1.3 13.1.3 Clarified intent that the PA-DSS Implementation Guide should be reviewed and updated whenever the application or PA-DSS requirements change.
Requirement 14
• General See “General
• 13 above.” New requirement to focus on instructional documentation and training programs, including internal training for vendor personnel with PA-DSS responsibilities.
Clarification New requirement for providing information security …
Added
p. 9
• Clarified intent that the training materials should be reviewed and
Clarification Appendix B Confirmation of Testing Laboratory Configuration Specific to PA- DSS Assessment Testing Laboratory Configuration for PA-DSS Assessments Refocused Appendix to provide information about expectations and capabilities of the laboratory used to conduct PA-DSS assessments. Details and template for documenting the testing laboratory configuration moved to separate PA-DSS ROV Reporting Template.
Clarification Appendix B Confirmation of Testing Laboratory Configuration Specific to PA- DSS Assessment Testing Laboratory Configuration for PA-DSS Assessments Refocused Appendix to provide information about expectations and capabilities of the laboratory used to conduct PA-DSS assessments. Details and template for documenting the testing laboratory configuration moved to separate PA-DSS ROV Reporting Template.
Modified
p. 1
Payment Card Industry (PCI) Payment Application Data Security Standard Summary of Changes from PA-DSS Version 1.2.1 to 2.0
Payment Card Industry (PCI) Payment Application Data Security Standard Summary of Changes from PA-DSS Version 2.0 to 3.0
Removed
p. 2
Section or Requirement Change Typei Old New General General Attestation of Validation The Attestation of Validation has been
• removed from the Appendix and a separate document created. Document references
• updated accordingly.
Clarification General General Purpose of this Document Added reference to additional resources available on PCI SSC website.
Additional Guidance General General Relationship between PCI DSS and PA-DSS Added sentence to clarify that use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant. Clarification of magnetic stripe data “and/or equivalent data on the chip.” Clarification General General Scope of PA-DSS Clarification that PA-DSS does not apply to payment applications developed for and sold to a single customer for the sole use of that customer.
Clarification General General PA-DSS Applicability to Payment Applications on Hardware Terminals Updated, expanded,
• renamed section to addresses payment applications on hardware terminals, where it may be possible to meet PA-DSS requirements outside …
• removed from the Appendix and a separate document created. Document references
• updated accordingly.
Clarification General General Purpose of this Document Added reference to additional resources available on PCI SSC website.
Additional Guidance General General Relationship between PCI DSS and PA-DSS Added sentence to clarify that use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant. Clarification of magnetic stripe data “and/or equivalent data on the chip.” Clarification General General Scope of PA-DSS Clarification that PA-DSS does not apply to payment applications developed for and sold to a single customer for the sole use of that customer.
Clarification General General PA-DSS Applicability to Payment Applications on Hardware Terminals Updated, expanded,
• renamed section to addresses payment applications on hardware terminals, where it may be possible to meet PA-DSS requirements outside …
Removed
p. 3
Section or Requirement Change Typei Old New General General PCI DSS Applicability Information
• Added term “account data” and provided more details on “cardholder data” and “sensitive authentication data.”
• Clarified that primary account data (PAN) is the defining factor for the applicability of PCI DSS.
• Added paragraph (replaced previous footnote) and
• updated table to clarify which data elements must be rendered unreadable according to PCI DSS Requirement 3.4.
Clarification General General Instructions and Content for Report on Validation Added criteria for reporting if a requirement does not apply to a given payment application, to part 3.
Clarification General General PA-DSS Completion Steps Updated reference to Attestation of Validation. Clarification All Requiremen All Requirements Requirements column throughout Standard Reworded each note that formerly stated “PCI Data Security Standard Requirement X.X” to “Aligns with PCI DSS Requirement X.X” to clarify the alignment between PCI DSS and PA-DSS.
Clarification All Requiremen All Requirements Requirements …
• Added term “account data” and provided more details on “cardholder data” and “sensitive authentication data.”
• Clarified that primary account data (PAN) is the defining factor for the applicability of PCI DSS.
• Added paragraph (replaced previous footnote) and
• updated table to clarify which data elements must be rendered unreadable according to PCI DSS Requirement 3.4.
Clarification General General Instructions and Content for Report on Validation Added criteria for reporting if a requirement does not apply to a given payment application, to part 3.
Clarification General General PA-DSS Completion Steps Updated reference to Attestation of Validation. Clarification All Requiremen All Requirements Requirements column throughout Standard Reworded each note that formerly stated “PCI Data Security Standard Requirement X.X” to “Aligns with PCI DSS Requirement X.X” to clarify the alignment between PCI DSS and PA-DSS.
Clarification All Requiremen All Requirements Requirements …
Modified
p. 3
• Updated to align with PCI DSS.
• updated to align with changes to PCI DSS.
Modified
p. 3 → 4
Clarification 1.1 1.1 Requirement and Testing Procedures
Clarification Requirement Change Type PA-DSS v2.0 PA-DSS v3.0
Removed
p. 4
Section or Requirement Change Typei Old New
• 1.1.3 Requirements and Testing Procedures Removed specific references to the Glossary since other glossary words are located throughout the standard without referencing the Glossary.
• 1.1.3 Testing Procedures Clarified that testing should include review of “at least the following types of data files.” Clarification 2.1 2.1 Testing Procedure Clarified that identification of all locations of cardholder data should include instructions for configuring the underlying software to prevent inadvertent capture or retention of cardholder data.
Clarification 2.3 2.3, 2.3.a
• 2.3.e Requirement and Testing Procedures
• Clarified that requirement applies only to the PAN.
• Removed note about minimum account information since this has been
• clarified in the requirement and in the PCI DSS Applicability Table.
• Clarified requirements for using hashing or truncation to render PAN unreadable.
• Added Note to identify risk of hashed and truncation PANs in the same environment, and that additional security …
• 1.1.3 Requirements and Testing Procedures Removed specific references to the Glossary since other glossary words are located throughout the standard without referencing the Glossary.
• 1.1.3 Testing Procedures Clarified that testing should include review of “at least the following types of data files.” Clarification 2.1 2.1 Testing Procedure Clarified that identification of all locations of cardholder data should include instructions for configuring the underlying software to prevent inadvertent capture or retention of cardholder data.
Clarification 2.3 2.3, 2.3.a
• 2.3.e Requirement and Testing Procedures
• Clarified that requirement applies only to the PAN.
• Removed note about minimum account information since this has been
• clarified in the requirement and in the PCI DSS Applicability Table.
• Clarified requirements for using hashing or truncation to render PAN unreadable.
• Added Note to identify risk of hashed and truncation PANs in the same environment, and that additional security …
Removed
p. 5
Section or Requirement Change Typei Old New 2.6 2.6, 2.6.1
• 2.6.7 Requirements and Testing Procedures
• Removed reference to PCI DSS and imported and reworded PCI DSS testing procedures to create new Sub-Requirements and Procedures 2.6.1 through 2.6.7, as applicable to payment applications.
• Removed reference to PCI DSS and imported and reworded PCI DSS testing procedures to create new Sub-Requirements and Procedures 3.1.1 through 3.1.10, as applicable to payment applications.
• Added documentation of PA-DSS Implementation Guide to Testing Procedure 2.6.a, and renumbered former procedure 2.6.a to 2.6.b.
Clarification 2.7 2.7 Requirement and Testing Procedures
• Clarified that former wording for secure deletion means a tool or process that renders irretrievable the cryptographic keys or material stored by previous versions of the payment application.
• Added “deletion of a key encryption key” as an example of rendering cryptographic key materials or cryptograms irretrievable.
• 2.6.7 Requirements and Testing Procedures
• Removed reference to PCI DSS and imported and reworded PCI DSS testing procedures to create new Sub-Requirements and Procedures 2.6.1 through 2.6.7, as applicable to payment applications.
• Removed reference to PCI DSS and imported and reworded PCI DSS testing procedures to create new Sub-Requirements and Procedures 3.1.1 through 3.1.10, as applicable to payment applications.
• Added documentation of PA-DSS Implementation Guide to Testing Procedure 2.6.a, and renumbered former procedure 2.6.a to 2.6.b.
Clarification 2.7 2.7 Requirement and Testing Procedures
• Clarified that former wording for secure deletion means a tool or process that renders irretrievable the cryptographic keys or material stored by previous versions of the payment application.
• Added “deletion of a key encryption key” as an example of rendering cryptographic key materials or cryptograms irretrievable.
Removed
p. 5
• Clarified that secure authentication must be enforced to all accounts generated or managed by the application, by the completion of installation and for subsequent changes after installation.
• 3.1.d Testing Procedures
• Moved Testing Procedure 3.1.c to 3.1.a to address PA-DSS Implementation Guide documentation, and
• clarified content to align with imported sub-requirements.
• Moved Testing Procedure 3.1.a to 3.1.d to align with imported sub-requirements and
• added clarification for testing that secure authentication is applied by the completion of installation and after subsequent changes.
• Added new Testing Procedure at 3.1.c, to test that payment application enforces changes to default accounts.
Clarification 3.2 3.2 Requirement Clarified that this requirement addresses vendor guidance to customers.
Section or Requirement Change Typei Old New 4.1 4.1, 4.1.a
• 4.1.b Testing Procedures Moved testing procedure from 4.2.b to 4.1.b to align with restructured requirements. Minor rewording for clarity.
• Added clarity around specific information that should be included in …
• 3.1.d Testing Procedures
• Moved Testing Procedure 3.1.c to 3.1.a to address PA-DSS Implementation Guide documentation, and
• clarified content to align with imported sub-requirements.
• Moved Testing Procedure 3.1.a to 3.1.d to align with imported sub-requirements and
• added clarification for testing that secure authentication is applied by the completion of installation and after subsequent changes.
• Added new Testing Procedure at 3.1.c, to test that payment application enforces changes to default accounts.
Clarification 3.2 3.2 Requirement Clarified that this requirement addresses vendor guidance to customers.
Section or Requirement Change Typei Old New 4.1 4.1, 4.1.a
• 4.1.b Testing Procedures Moved testing procedure from 4.2.b to 4.1.b to align with restructured requirements. Minor rewording for clarity.
• Added clarity around specific information that should be included in …
Modified
p. 8 → 4
Required PA-DSS Implementation Guide information.
Removed
p. 9
Section or Requirement Change Typei Old New 10, 11 10 Requirements and Testing Procedures Renumbered former 11.1 to 10.1.
• Clarified that the payment application must not interfere with use of two-factor authentication technologies for secure remote access.
• Updated example to “Radius with tokens.” Renumbered former 11.2 to 10.2. No change to content.
• Added parent Requirement 10.3 for remote access into payment application. Former Requirements 10.1 and 11.3 renumbered to 10.3.1 and 10.3.2, respectively. No change to content.
• Moved examples from testing procedures to the requirements column.
Clarification 12, 13, 14 11, 12, 13 Requirements and Testing Procedures Former Requirements 12, 13 and 14 renumbered to Requirements 11, 12 and 13 respectively, due to merging of Requirements 10 and 11.
Clarification 12.1 11.1 Requirements and Testing Procedures Included SSH as an example of a security protocol, removed examples from testing procedure. Clarification of terminology “strong cryptography and …
• Clarified that the payment application must not interfere with use of two-factor authentication technologies for secure remote access.
• Updated example to “Radius with tokens.” Renumbered former 11.2 to 10.2. No change to content.
• Added parent Requirement 10.3 for remote access into payment application. Former Requirements 10.1 and 11.3 renumbered to 10.3.1 and 10.3.2, respectively. No change to content.
• Moved examples from testing procedures to the requirements column.
Clarification 12, 13, 14 11, 12, 13 Requirements and Testing Procedures Former Requirements 12, 13 and 14 renumbered to Requirements 11, 12 and 13 respectively, due to merging of Requirements 10 and 11.
Clarification 12.1 11.1 Requirements and Testing Procedures Included SSH as an example of a security protocol, removed examples from testing procedure. Clarification of terminology “strong cryptography and …
Modified
p. 9
• Updated references to PCI DSS to reflect PA- DSS requirements.
• updated whenever the application or PA-DSS requirements change.
Removed
p. 10
Section or Requirement Change Typei Old New Appendix B Appendix B Item 6.b Updated reference for vulnerabilities to remove reliance on OWASP only, per changes made to PA- DSS Requirements 5.1 and 5.2.
Clarification Appendix B Appendix B Item 7.c Added clarification that the PA-QSA must validate the clean installation of the remote lab environment to ensure the environment truly simulates a real world situation.
Clarification Appendix C Attestation of Validation Removed from Appendix Reorganized format to provide application vendor information before PA-QSA information.
Clarification i Explanations of “Type”:
Clarification Appendix B Appendix B Item 7.c Added clarification that the PA-QSA must validate the clean installation of the remote lab environment to ensure the environment truly simulates a real world situation.
Clarification Appendix C Attestation of Validation Removed from Appendix Reorganized format to provide application vendor information before PA-QSA information.
Clarification i Explanations of “Type”:
Modified
p. 10 → 2
Table 1: Change Types Change Type Definition Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
Modified
p. 10 → 2
Additional guidance Explanatory Explanations and/or definitions to increase understanding or provide further information on a particular topic.
Additional guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Modified
p. 10 → 2
Evolving Requirement Enhancements Changes to ensure that the standards are up to date with emerging threats and changes in the market.
Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market.