Document Comparison
PA-DSS_v3_Summary_of_Changes.pdf
→
PA-DSS_v3-1_Summary_of_Changes.pdf
14% similar
9 → 3
Pages
2250 → 700
Words
10
Content Changes
Content Changes
10 content changes. 9 administrative changes (dates, page numbers) hidden.
Added
p. 2
Table 2: Summary of Changes Change Type1 PA-DSS v3.0 PA-DSS v3.1 All All Addressed minor typographical errors (grammar, punctuation, formatting, etc.) and incorporated minor updates for readability throughout the document.
Clarification All All Changed references from “merchant” to “customer” when referring to entities that use payment applications.
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”. Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
• Clarified in requirement “Note” that additional controls are required if hashed and truncated versions of the same PAN are generated by the payment application.
• Added Testing Procedure 2.3.c for validation of the Note, and renumbered subsequent testing procedures.
Clarification 2.4 2.4 Updated guidance to clarify key-encrypting keys are not required to be encrypted. However, they must be protected in accordance with Requirement 2.4.
Additional Guidance 2.5 2.5 Changed “encryption” to “cryptographic” in testing procedure to align with the requirement.
Clarification 3.1.7 …
Clarification All All Changed references from “merchant” to “customer” when referring to entities that use payment applications.
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”. Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
• Clarified in requirement “Note” that additional controls are required if hashed and truncated versions of the same PAN are generated by the payment application.
• Added Testing Procedure 2.3.c for validation of the Note, and renumbered subsequent testing procedures.
Clarification 2.4 2.4 Updated guidance to clarify key-encrypting keys are not required to be encrypted. However, they must be protected in accordance with Requirement 2.4.
Additional Guidance 2.5 2.5 Changed “encryption” to “cryptographic” in testing procedure to align with the requirement.
Clarification 3.1.7 …
Removed
p. 1
Payment Card Industry (PCI) Payment Application Data Security Standard Summary of Changes from PA-DSS Version 2.0 to 3.0
Modified
p. 2
Table 1: Change Types Change Type Definition Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
Table 1: Change Types 1Change Type Definition Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
Removed
p. 3
Table 2: Summary of Changes Change Type PA-DSS v2.0 PA-DSS v3.0 Introduction Introduction Purpose of This Document Clarified purpose and use of the document and included reference to PA-DSS ROV Reporting Template.
Clarification Relationship between PCI DSS and PA-DSS Added clarification that PA-DSS applications are in scope for an organization’s PCI DSS assessment.
PCI DSS Applicability Information Relocated section and
• updated to align with changes to PCI DSS.
• Removed some PCI DSS language that is not applicable to PA-DSS.
Clarification Scope of PA- DSS Scope of PA- DSS Removed information about which payment applications are eligible for PA-DSS. Information on PA-DSS eligibility can be found in the PA-DSS Program Guide.
Clarification Roles and Responsibilities Information regarding relevant stakeholders and their PA-DSS roles and responsibilities has been removed as it is included in the PA-DSS Program Guide.
Clarification PA-DSS Implementation Guide PA-DSS Implementatio n Guide Provided more guidance on the PA-DSS Implementation Guide and clarified the …
Clarification Relationship between PCI DSS and PA-DSS Added clarification that PA-DSS applications are in scope for an organization’s PCI DSS assessment.
PCI DSS Applicability Information Relocated section and
• updated to align with changes to PCI DSS.
• Removed some PCI DSS language that is not applicable to PA-DSS.
Clarification Scope of PA- DSS Scope of PA- DSS Removed information about which payment applications are eligible for PA-DSS. Information on PA-DSS eligibility can be found in the PA-DSS Program Guide.
Clarification Roles and Responsibilities Information regarding relevant stakeholders and their PA-DSS roles and responsibilities has been removed as it is included in the PA-DSS Program Guide.
Clarification PA-DSS Implementation Guide PA-DSS Implementatio n Guide Provided more guidance on the PA-DSS Implementation Guide and clarified the …
Removed
p. 4
Additional Updated requirements and/or testing procedures to reflect PCI DSS changes, where a PA- DSS requirement aligns with a PCI DSS requirement.
As defined in Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant / overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement, including:
Required PA-DSS Implementation Guide information.
Installing the application per the PA-DSS Implementation Guide to verify accuracy of Implementation Guide instructions.
Clarification Other general editing changes include:
Removed the following columns: “In Place,” “Not in Place,” and “Target Date/Comments.” Renumbered requirements and testing procedures to accommodate changes.
• Reformatted requirements and testing procedures for readability
•e.g., content from paragraph
• reformatted to bullet points, etc.
Made minor wording changes throughout for readability.
Corrected typographical errors.
Clarification Requirement Change Type PA-DSS v2.0 PA-DSS v3.0
Requirement 1
• General Title updated for consistency, …
As defined in Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant / overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement, including:
Required PA-DSS Implementation Guide information.
Installing the application per the PA-DSS Implementation Guide to verify accuracy of Implementation Guide instructions.
Clarification Other general editing changes include:
Removed the following columns: “In Place,” “Not in Place,” and “Target Date/Comments.” Renumbered requirements and testing procedures to accommodate changes.
• Reformatted requirements and testing procedures for readability
•e.g., content from paragraph
• reformatted to bullet points, etc.
Made minor wording changes throughout for readability.
Corrected typographical errors.
Clarification Requirement Change Type PA-DSS v2.0 PA-DSS v3.0
Requirement 1
• General Title updated for consistency, …
Removed
p. 5
Evolving Requirement 2.6.x 2.5.x Updated testing procedures to clarify key-management techniques must be properly tested. Clarification Updated to clarify that application vendor should provide a mechanism for removing cryptographic key material, if the current or previous versions used cryptographic key materials or cryptograms.
Requirement 3 3.1 3.1 Moved note from former Testing Procedure 3.1.d to Requirement 3.1. Clarification
• 3.1.c 3.1.1 New requirements created from former Testing Procedures 3.1.b
• 3.1.c to ensure that changing of default passwords is enforced by the application and appropriately validated.
Clarification 3.1.4 3.1.7 Moved requirement to 3.1.7 for better organization of requirements. Clarification 3.1.6
• 3.1.7 3.1.6 Combined password complexity requirements to align with PCI DSS v3.0 and provide flexibility for other password-composition alternatives that meet the minimum strength requirement.
Clarification 3.3 3.3.1
• 3.3.2 Split requirement 3.3 into two requirements to focus separately on transmitted passwords (3.3.1) and stored passwords (3.3.2). Updated 3.3.2 to require use of a strong one-way …
Requirement 3 3.1 3.1 Moved note from former Testing Procedure 3.1.d to Requirement 3.1. Clarification
• 3.1.c 3.1.1 New requirements created from former Testing Procedures 3.1.b
• 3.1.c to ensure that changing of default passwords is enforced by the application and appropriately validated.
Clarification 3.1.4 3.1.7 Moved requirement to 3.1.7 for better organization of requirements. Clarification 3.1.6
• 3.1.7 3.1.6 Combined password complexity requirements to align with PCI DSS v3.0 and provide flexibility for other password-composition alternatives that meet the minimum strength requirement.
Clarification 3.3 3.3.1
• 3.3.2 Split requirement 3.3 into two requirements to focus separately on transmitted passwords (3.3.1) and stored passwords (3.3.2). Updated 3.3.2 to require use of a strong one-way …
Removed
p. 6
Requirement 5 5.1 5.1 Enhanced requirement to include security reviews in development processes.
Evolving Requirement New requirement for payment application developers to verify integrity of source code during the development process.
Evolving Requirement New requirement for payment applications to be developed according to industry best practices for secure coding techniques, including:
Developing with least privilege for the environment.
Developing with fail-safe defaults•i.e., all execution is by default denied unless specified within initial design.
Developing for all access-point considerations, including input variances such as multi-channel input to the application.
Documentation of how PAN and/or SAD are handled in memory.
Evolving Requirement New requirement created from former Testing Procedures 5.2.a and 5.2.b for payment application developers to be trained in secure development practices.
Clarification 5.2 5.2 Updated requirement to focus on preventing common coding vulnerabilities. Clarification 5.2.10 New requirement to address “Broken authentication and session management.” Evolving Requirement Moved requirement to 8.2 to align with other …
Evolving Requirement New requirement for payment application developers to verify integrity of source code during the development process.
Evolving Requirement New requirement for payment applications to be developed according to industry best practices for secure coding techniques, including:
Developing with least privilege for the environment.
Developing with fail-safe defaults•i.e., all execution is by default denied unless specified within initial design.
Developing for all access-point considerations, including input variances such as multi-channel input to the application.
Documentation of how PAN and/or SAD are handled in memory.
Evolving Requirement New requirement created from former Testing Procedures 5.2.a and 5.2.b for payment application developers to be trained in secure development practices.
Clarification 5.2 5.2 Updated requirement to focus on preventing common coding vulnerabilities. Clarification 5.2.10 New requirement to address “Broken authentication and session management.” Evolving Requirement Moved requirement to 8.2 to align with other …
Removed
p. 7
Requirement 6 Reorganized requirements to clarify controls that apply to all applications and controls that apply only where wireless is provided or intended for use with the payment application. New Requirement 6.3 created from former Testing Procedure 6.2.b.
Requirement 7
• General Title updated to reflect intent of requirement (to address vulnerabilities and maintain application updates).
Clarification 7.1 7.1.1
• 7.1.3 Split into separate requirements and required use of “reputable” sources for security vulnerability information.
Clarification 7.2 7.2.1
• 7.2.2 Split into separate requirements. Clarification 7.3 New requirement for the application vendor to provide release notes for all application updates.
Requirement 8 8.1 8.1 Expanded example to clarify intent of requirement. Clarification Moved requirement from 5.4 to align with other requirements that facilitate a secure PCI DSS environment.
Clarification Moved requirement from 10.1 to align with other requirements that facilitate a secure PCI DSS environment.
Requirement 9 Added language to clarify the intent of requirement that web servers and …
Requirement 7
• General Title updated to reflect intent of requirement (to address vulnerabilities and maintain application updates).
Clarification 7.1 7.1.1
• 7.1.3 Split into separate requirements and required use of “reputable” sources for security vulnerability information.
Clarification 7.2 7.2.1
• 7.2.2 Split into separate requirements. Clarification 7.3 New requirement for the application vendor to provide release notes for all application updates.
Requirement 8 8.1 8.1 Expanded example to clarify intent of requirement. Clarification Moved requirement from 5.4 to align with other requirements that facilitate a secure PCI DSS environment.
Clarification Moved requirement from 10.1 to align with other requirements that facilitate a secure PCI DSS environment.
Requirement 9 Added language to clarify the intent of requirement that web servers and …
Removed
p. 8
Evolving Requirement 10.3.2 10.2.3 Updated to clarify that requirement applies to all types of remote access. Clarification
Requirement 11 Minor updates to provide additional clarity and align with PCI DSS.
Requirement 12 12.1 12.1 12.2 Reorganized requirements to clarify controls that apply to all applications and controls that apply only where the payment application facilitates non-console administrative access.
Requirement 13
• General
• changed to focus on requirements for the PA-DSS Implementation Guide. Requirements for instructional documentation and training programs
• moved to new Requirement 14.
Clarification New requirement to validate that the PA-DSS Implementation Guide is specific to the application and version(s) being assessed.
Clarification 13.1.3 13.1.3 Clarified intent that the PA-DSS Implementation Guide should be reviewed and updated whenever the application or PA-DSS requirements change.
Requirement 14
• General See “General
• 13 above.” New requirement to focus on instructional documentation and training programs, including internal training for vendor personnel with PA-DSS responsibilities.
Clarification New requirement for providing information security …
Requirement 11 Minor updates to provide additional clarity and align with PCI DSS.
Requirement 12 12.1 12.1 12.2 Reorganized requirements to clarify controls that apply to all applications and controls that apply only where the payment application facilitates non-console administrative access.
Requirement 13
• General
• changed to focus on requirements for the PA-DSS Implementation Guide. Requirements for instructional documentation and training programs
• moved to new Requirement 14.
Clarification New requirement to validate that the PA-DSS Implementation Guide is specific to the application and version(s) being assessed.
Clarification 13.1.3 13.1.3 Clarified intent that the PA-DSS Implementation Guide should be reviewed and updated whenever the application or PA-DSS requirements change.
Requirement 14
• General See “General
• 13 above.” New requirement to focus on instructional documentation and training programs, including internal training for vendor personnel with PA-DSS responsibilities.
Clarification New requirement for providing information security …
Removed
p. 9
• Clarified intent that the training materials should be reviewed and
• updated whenever the application or PA-DSS requirements change.
Clarification Appendix B Confirmation of Testing Laboratory Configuration Specific to PA- DSS Assessment Testing Laboratory Configuration for PA-DSS Assessments Refocused Appendix to provide information about expectations and capabilities of the laboratory used to conduct PA-DSS assessments. Details and template for documenting the testing laboratory configuration moved to separate PA-DSS ROV Reporting Template.
• updated whenever the application or PA-DSS requirements change.
Clarification Appendix B Confirmation of Testing Laboratory Configuration Specific to PA- DSS Assessment Testing Laboratory Configuration for PA-DSS Assessments Refocused Appendix to provide information about expectations and capabilities of the laboratory used to conduct PA-DSS assessments. Details and template for documenting the testing laboratory configuration moved to separate PA-DSS ROV Reporting Template.