Document Comparison
pci_pa_dss_summary_changes_v1-1_v12.pdf
→
pci_pa-dss_v2_summary_of_changes.pdf
8% similar
4 → 10
Pages
909 → 2852
Words
18
Content Changes
Content Changes
18 content changes. 7 administrative changes (dates, page numbers) hidden.
Added
p. 2
Section or Requirement Change Typei Old New General General Attestation of Validation The Attestation of Validation has been
• removed from the Appendix and a separate document created. Document references
• updated accordingly.
Clarification General General Purpose of this Document Added reference to additional resources available on PCI SSC website.
Additional Guidance General General Relationship between PCI DSS and PA-DSS Added sentence to clarify that use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant. Clarification of magnetic stripe data “and/or equivalent data on the chip.” Clarification General General Scope of PA-DSS Clarification that PA-DSS does not apply to payment applications developed for and sold to a single customer for the sole use of that customer.
• renamed section to addresses payment applications on hardware terminals, where it may be possible to meet PA-DSS requirements outside of the payment application.
Additional Guidance General General Payment Application Qualified Security Assessor …
• removed from the Appendix and a separate document created. Document references
• updated accordingly.
Clarification General General Purpose of this Document Added reference to additional resources available on PCI SSC website.
Additional Guidance General General Relationship between PCI DSS and PA-DSS Added sentence to clarify that use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant. Clarification of magnetic stripe data “and/or equivalent data on the chip.” Clarification General General Scope of PA-DSS Clarification that PA-DSS does not apply to payment applications developed for and sold to a single customer for the sole use of that customer.
• renamed section to addresses payment applications on hardware terminals, where it may be possible to meet PA-DSS requirements outside of the payment application.
Additional Guidance General General Payment Application Qualified Security Assessor …
Added
p. 3
Section or Requirement Change Typei Old New General General PCI DSS Applicability Information
• Updated to align with PCI DSS.
• Added term “account data” and provided more details on “cardholder data” and “sensitive authentication data.”
• Clarified that primary account data (PAN) is the defining factor for the applicability of PCI DSS.
• Added paragraph (replaced previous footnote) and
• updated table to clarify which data elements must be rendered unreadable according to PCI DSS Requirement 3.4.
Clarification General General PA-DSS Completion Steps Updated reference to Attestation of Validation. Clarification All Requiremen All Requirements Requirements column throughout Standard Reworded each note that formerly stated “PCI Data Security Standard Requirement X.X” to “Aligns with PCI DSS Requirement X.X” to clarify the alignment between PCI DSS and PA-DSS.
Clarification All Requiremen All Requirements Requirements and Testing Procedures throughout Standard Wherever previously stated to verify a PA-DSS requirement “in accordance with PCI DSS Requirement X.X,” …
• Updated to align with PCI DSS.
• Added term “account data” and provided more details on “cardholder data” and “sensitive authentication data.”
• Clarified that primary account data (PAN) is the defining factor for the applicability of PCI DSS.
• Added paragraph (replaced previous footnote) and
• updated table to clarify which data elements must be rendered unreadable according to PCI DSS Requirement 3.4.
Clarification General General PA-DSS Completion Steps Updated reference to Attestation of Validation. Clarification All Requiremen All Requirements Requirements column throughout Standard Reworded each note that formerly stated “PCI Data Security Standard Requirement X.X” to “Aligns with PCI DSS Requirement X.X” to clarify the alignment between PCI DSS and PA-DSS.
Clarification All Requiremen All Requirements Requirements and Testing Procedures throughout Standard Wherever previously stated to verify a PA-DSS requirement “in accordance with PCI DSS Requirement X.X,” …
Added
p. 4
Section or Requirement Change Typei Old New
• 1.1.3 Requirements and Testing Procedures Removed specific references to the Glossary since other glossary words are located throughout the standard without referencing the Glossary.
• 1.1.3 Testing Procedures Clarified that testing should include review of “at least the following types of data files.” Clarification 2.1 2.1 Testing Procedure Clarified that identification of all locations of cardholder data should include instructions for configuring the underlying software to prevent inadvertent capture or retention of cardholder data.
Clarification 2.3 2.3, 2.3.a
• 2.3.e Requirement and Testing Procedures
• Clarified that requirement applies only to the PAN.
• Removed note about minimum account information since this has been
• clarified in the requirement and in the PCI DSS Applicability Table.
• Clarified requirements for using hashing or truncation to render PAN unreadable.
• Added Note to identify risk of hashed and truncation PANs in the same environment, and that additional security …
• 1.1.3 Requirements and Testing Procedures Removed specific references to the Glossary since other glossary words are located throughout the standard without referencing the Glossary.
• 1.1.3 Testing Procedures Clarified that testing should include review of “at least the following types of data files.” Clarification 2.1 2.1 Testing Procedure Clarified that identification of all locations of cardholder data should include instructions for configuring the underlying software to prevent inadvertent capture or retention of cardholder data.
Clarification 2.3 2.3, 2.3.a
• 2.3.e Requirement and Testing Procedures
• Clarified that requirement applies only to the PAN.
• Removed note about minimum account information since this has been
• clarified in the requirement and in the PCI DSS Applicability Table.
• Clarified requirements for using hashing or truncation to render PAN unreadable.
• Added Note to identify risk of hashed and truncation PANs in the same environment, and that additional security …
Added
p. 5
• Clarified that secure authentication must be enforced to all accounts generated or managed by the application, by the completion of installation and for subsequent changes after installation.
• 3.1.d Testing Procedures
• Moved Testing Procedure 3.1.c to 3.1.a to address PA-DSS Implementation Guide documentation, and
• clarified content to align with imported sub-requirements.
• added clarification for testing that secure authentication is applied by the completion of installation and after subsequent changes.
• Added new Testing Procedure at 3.1.c, to test that payment application enforces changes to default accounts.
Clarification 3.2 3.2 Requirement Clarified that this requirement addresses vendor guidance to customers.
Section or Requirement Change Typei Old New 4.1 4.1, 4.1.a
• 4.1.b Testing Procedures Moved testing procedure from 4.2.b to 4.1.b to align with restructured requirements. Minor rewording for clarity.
• Added clarity around specific information that should be included in log files.
• Added clarity around specific information that should be included …
• 3.1.d Testing Procedures
• Moved Testing Procedure 3.1.c to 3.1.a to address PA-DSS Implementation Guide documentation, and
• clarified content to align with imported sub-requirements.
• added clarification for testing that secure authentication is applied by the completion of installation and after subsequent changes.
• Added new Testing Procedure at 3.1.c, to test that payment application enforces changes to default accounts.
Clarification 3.2 3.2 Requirement Clarified that this requirement addresses vendor guidance to customers.
Section or Requirement Change Typei Old New 4.1 4.1, 4.1.a
• 4.1.b Testing Procedures Moved testing procedure from 4.2.b to 4.1.b to align with restructured requirements. Minor rewording for clarity.
• Added clarity around specific information that should be included in log files.
• Added clarity around specific information that should be included …
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PA-DSS Version 1.1 to 1.2
Payment Card Industry (PCI) Payment Application Data Security Standard Summary of Changes from PA-DSS Version 1.2.1 to 2.0
Removed
p. 2
• Changed the title of the document from “Security Audit Procedures” to “Requirements and Security Assessment Procedures” to match name change to PCI DSS Requirements and Security Assessment Procedures.
• Changed all related references to both the PA-DSS and PCI DSS documents and to the assessment process.
• changed “full magnetic stripe” to “full magnetic stripe data” and
• added a footnote to define this data.
Clarification 1.1 1.1 Requirement: To align with change to PCI DSS Requirement 3.2, changed “subsequent to” authorization to “after” authorization.
• added italicized notes.
• Removed references to different types of logs,
• added “All logs,” and provided examples.
• Changed “Strong one-way hash functions (hashed indexes)” to “One-way hashes based on strong cryptography.”
• Changed “Strong cryptography based on approved standards” to “Strong cryptography with associated key management processes and procedures.” Referenced PCI DSS Glossary for definition of strong cryptography.
• changed “encryption” to “cryptographic” throughout.
• Added reference to PCI …
• Changed all related references to both the PA-DSS and PCI DSS documents and to the assessment process.
• changed “full magnetic stripe” to “full magnetic stripe data” and
• added a footnote to define this data.
Clarification 1.1 1.1 Requirement: To align with change to PCI DSS Requirement 3.2, changed “subsequent to” authorization to “after” authorization.
• added italicized notes.
• Removed references to different types of logs,
• added “All logs,” and provided examples.
• Changed “Strong one-way hash functions (hashed indexes)” to “One-way hashes based on strong cryptography.”
• Changed “Strong cryptography based on approved standards” to “Strong cryptography with associated key management processes and procedures.” Referenced PCI DSS Glossary for definition of strong cryptography.
• changed “encryption” to “cryptographic” throughout.
• Added reference to PCI …
Modified
p. 2
Clarification General General PCI DSS Applicability Information To align with changes in the PCI DSS Requirements and Security Assessment Procedures,
Clarification General General PA-DSS Applicability to Payment Applications on Hardware Terminals Updated, expanded,
Modified
p. 2 → 3
Clarification General General Instructions and Content for Report on Compliance: Added “PA-DSS Version used for the assessment” to required report content.
Clarification General General Instructions and Content for Report on Validation Added criteria for reporting if a requirement does not apply to a given payment application, to part 3.
Modified
p. 2 → 4
Clarification 2.5, 2.6 2.5, 2.6 Requirement & Testing Procedure: To align with changes to PCI DSS Requirements 3.5 and 3.6,
Clarification 2.5 2.5, 2.5.a
• 2.5.c Requirement and Testing Procedures
• 2.5.c Requirement and Testing Procedures
Modified
p. 2 → 5
Clarification 2.3 2.3 Requirement and Testing Procedures: To align with changes to PCI DSS Requirement 3.4:
Clarification 2.7 2.7 Requirement and Testing Procedures
Modified
p. 2 → 6
• 1.1.3 Requirement & Testing Procedures: To align with changes to PCI DSS Requirement 3.2:
• 5.1.4 Requirements and Testing Procedures Renumbered due to removal of former Requirements 5.1.1 through 5.1.3.
Removed
p. 3
Clarification 4.2 4.2 Testing Procedures: Added reference to PCI DSS Requirements 10.2.1-10.2.7 and 10.3.1-10.3.6 to clarify that all these PCI DSS requirements should be verified for this testing procedure.
• Added note to detail what type of code this requirement applies to, and that internal parties can perform these code reviews.
• Deleted 5.1.7c and 5.1.7.d since these tests are now combined into 5.1.7.a and 5.1.7.b.
Clarification 5.2 5.2 Requirements: To align with changes to PCI DSS Requirement 6.5, added note that the current OWASP Guide at the time of the assessment should be used.
• updated to new OWASP “Top Ten”) from the requirements column to the testing procedures column.
• Added note to detail what type of code this requirement applies to, and that internal parties can perform these code reviews.
• Deleted 5.1.7c and 5.1.7.d since these tests are now combined into 5.1.7.a and 5.1.7.b.
Clarification 5.2 5.2 Requirements: To align with changes to PCI DSS Requirement 6.5, added note that the current OWASP Guide at the time of the assessment should be used.
• updated to new OWASP “Top Ten”) from the requirements column to the testing procedures column.
Modified
p. 3
Clarification 5.1.7 5.1.7 Requirements & Testing Procedures: To align with changes to PCI DSS Requirement 6.3.7:
Clarification 1.1 1.1 Requirement and Testing Procedures
Modified
p. 3 → 5
• Updated testing procedures 5.1.7.a and 5.1.7.b to align with PCI DSS 6.3.7.a and 6.3.7.b.
• Moved Testing Procedure 3.1.a to 3.1.d to align with imported sub-requirements and
Modified
p. 3 → 6
Clarification 5.1 5.1 Requirements & Testing Procedures: To align with changes to PCI DSS Requirement 6.3, clarified that applications must be developed in accordance with PCI DSS requirements.
Clarification N/A 4.4 New Requirement and Testing Procedures Added new requirement to require payment applications to facilitate centralized logging, in alignment with PCI DSS requirement 10.5.3.
Modified
p. 3 → 8
Clarification 6.2 6.2 Requirements and Testing Procedures
Modified
p. 3 → 9
• Moved explanatory text for each OWASP requirement (previously
• Moved examples from testing procedures to the requirements column.
Removed
p. 4
• removed references to specific technology
•WiFi protected access (WPA or WPA2), etc.
• Deleted specific requirements and testing procedures for payment applications with WEP implementations.
• Added requirement that payment applications using wireless technology must facilitate the following: Implement wireless according to industry best practices (e.g., IEEE 802.11i) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
Clarification 10.1 10.1 Requirement & Testing Procedure: To align with changes to PCI DSS Requirement 12.3.9, changed “modems” to “remote access technologies.” Clarification 12.1 12.1 Requirement & Testing Procedure: To align with changes to PCI DSS Requirement 4.1.1, changed example of “WiFi (IEEE 802.11x)” to “Wireless technologies.” Clarification 12.2 12.2 Testing Procedure: To align with changes to PCI DSS Requirement 4.2, clarified that end-user messaging technologies …
•WiFi protected access (WPA or WPA2), etc.
• Deleted specific requirements and testing procedures for payment applications with WEP implementations.
• Added requirement that payment applications using wireless technology must facilitate the following: Implement wireless according to industry best practices (e.g., IEEE 802.11i) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
Clarification 10.1 10.1 Requirement & Testing Procedure: To align with changes to PCI DSS Requirement 12.3.9, changed “modems” to “remote access technologies.” Clarification 12.1 12.1 Requirement & Testing Procedure: To align with changes to PCI DSS Requirement 4.1.1, changed example of “WiFi (IEEE 802.11x)” to “Wireless technologies.” Clarification 12.2 12.2 Testing Procedure: To align with changes to PCI DSS Requirement 4.2, clarified that end-user messaging technologies …