Document Comparison
pci_dss_v2_summary_of_changes.pdf
→
PCI_DSS_v3_Summary_of_Changes.pdf
7% similar
20 → 12
Pages
5855 → 3761
Words
23
Content Changes
Content Changes
23 content changes. 18 administrative changes (dates, page numbers) hidden.
Added
p. 3
Table 2: Summary of Changes Change Type PCI DSS v2.0 PCI DSS v3.0
PCI DSS Applicability Information Clarified that SAD must not be stored after authorization even if there is no PAN in the environment. Clarification Relationship between PCI DSS and PA- DSS Relationship between PCI DSS and PA- DSS Clarified that all applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, even if PA-DSS validated. Clarified PCI DSS applicability to payment application vendors.
Clarification Scope of Assessment for Compliance with PCI DSS Requirements Scope of PCI DSS Requirements Added examples of system components, and added guidance about how to accurately determine the scope of the assessment. Clarified the intent of segmentation. Clarified responsibilities of both the third party and their customers for scoping and coverage of PCI DSS requirements, and clarified the evidence that third parties are expected to provide for their customers …
PCI DSS Applicability Information Clarified that SAD must not be stored after authorization even if there is no PAN in the environment. Clarification Relationship between PCI DSS and PA- DSS Relationship between PCI DSS and PA- DSS Clarified that all applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, even if PA-DSS validated. Clarified PCI DSS applicability to payment application vendors.
Clarification Scope of Assessment for Compliance with PCI DSS Requirements Scope of PCI DSS Requirements Added examples of system components, and added guidance about how to accurately determine the scope of the assessment. Clarified the intent of segmentation. Clarified responsibilities of both the third party and their customers for scoping and coverage of PCI DSS requirements, and clarified the evidence that third parties are expected to provide for their customers …
Added
p. 4
Additional For the security policies and daily operational procedures (formerly requirements 12.1.1 and 12.2), assigned a new requirement number and moved requirements and testing procedures into each of Requirements 1-11.
Clarification Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant or overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement. Clarification Other general editing changes include:
Removed the following columns: “In Place”, “Not in Place” and “Target Date/Comments”.
Renumbered requirements and testing procedures to accommodate changes Reformatted requirements and testing procedures for readability
• e.g. content from paragraph reformatted to bullet points, etc.
Made minor wording changes throughout for readability Corrected typographical errors Requirement Change Type
PCI DSS v2.0 PCI DSS v3.0
Requirement 1 1.1.x 1.1.x Clarified that firewall and router standards have to be both documented and implemented. Clarification …
Clarification Updated language in requirements and/or corresponding testing procedures for alignment and consistency. Clarification Separated complex requirements / testing procedures for clarity and removed redundant or overlapping testing procedures. Clarification Enhanced testing procedures to clarify level of validation expected for each requirement. Clarification Other general editing changes include:
Removed the following columns: “In Place”, “Not in Place” and “Target Date/Comments”.
Renumbered requirements and testing procedures to accommodate changes Reformatted requirements and testing procedures for readability
• e.g. content from paragraph reformatted to bullet points, etc.
Made minor wording changes throughout for readability Corrected typographical errors Requirement Change Type
PCI DSS v2.0 PCI DSS v3.0
Requirement 1 1.1.x 1.1.x Clarified that firewall and router standards have to be both documented and implemented. Clarification …
Added
p. 5
PCI DSS v2.0 PCI DSS v3.0 1.4 1.4 Aligned language between requirement and testing procedures for consistency. Clarification
Requirement 2 Clarified that requirement for changing vendor default passwords applies to all default passwords, including systems, applications, security software, terminals, etc. and that unnecessary default accounts are removed or disabled.
Clarification 2.1.1 2.1.1 Clarified that the intent of the requirement is for all wireless vendor defaults to be changed at installation. Clarification Clarified that system configuration standards include procedures for changing of all vendor-supplied defaults and unnecessary default accounts.
Clarification 2.2.2 2.2.2 2.2.3 Split requirement at 2.2.2 into two requirements to focus separately on necessary services, protocols and ports (2.2.2), and secure services, protocols, and ports (2.2.3).
Clarification New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards.
Requirement 3 3.1 3.1.1 3.1 Combined requirement 3.1.1 and testing procedures into requirement 3.1 to clarify and reduce …
Requirement 2 Clarified that requirement for changing vendor default passwords applies to all default passwords, including systems, applications, security software, terminals, etc. and that unnecessary default accounts are removed or disabled.
Clarification 2.1.1 2.1.1 Clarified that the intent of the requirement is for all wireless vendor defaults to be changed at installation. Clarification Clarified that system configuration standards include procedures for changing of all vendor-supplied defaults and unnecessary default accounts.
Clarification 2.2.2 2.2.2 2.2.3 Split requirement at 2.2.2 into two requirements to focus separately on necessary services, protocols and ports (2.2.2), and secure services, protocols, and ports (2.2.3).
Clarification New requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards.
Requirement 3 3.1 3.1.1 3.1 Combined requirement 3.1.1 and testing procedures into requirement 3.1 to clarify and reduce …
Added
p. 6
PCI DSS v2.0 PCI DSS v3.0 3.5.2 3.5.2 3.5.3 Split requirement 3.5.2 into two requirements to focus separately on storing cryptographic keys in a secure form (3.5.2), and in the fewest possible locations (3.5.3). Requirement 3.5.2 also provides flexibility with more options for secure storage of cryptographic keys.
Clarification 3.6.x 3.6.x Added testing procedures to verify implementation of cryptographic key management procedures. Clarification 3.6.6 3.6.6 Clarified principles of split knowledge and dual control. Clarification
Requirement 4 Aligned language between requirement and testing procedures for consistency. Also expanded the examples of open, public networks.
Requirement 5 - General Title updated to reflect intent of the requirement (to protect all systems against malware). Clarification New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software.
Evolving Requirement 5.2 5.2 Aligned language between requirement and testing procedures for consistency. Clarification New requirement to ensure that anti-virus solutions are actively …
Clarification 3.6.x 3.6.x Added testing procedures to verify implementation of cryptographic key management procedures. Clarification 3.6.6 3.6.6 Clarified principles of split knowledge and dual control. Clarification
Requirement 4 Aligned language between requirement and testing procedures for consistency. Also expanded the examples of open, public networks.
Requirement 5 - General Title updated to reflect intent of the requirement (to protect all systems against malware). Clarification New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software.
Evolving Requirement 5.2 5.2 Aligned language between requirement and testing procedures for consistency. Clarification New requirement to ensure that anti-virus solutions are actively …
Added
p. 7
PCI DSS v2.0 PCI DSS v3.0 6.4 6.4 Enhanced testing procedures to include document reviews for all requirements at 6.4.1 through 6.4.4. Clarification 6.4.1 6.4.1 Aligned language between requirement and testing procedures to clarify that separation of production/ development environments is enforced with access controls.
Clarification Updated developer training to include how to avoid common coding vulnerabilities, and to understand how sensitive data is handled in memory.
Clarification 6.5.x 6.5.x Updated requirements to reflect current and emerging coding vulnerabilities and secure coding guidelines. Updated testing procedures to clarify how the coding techniques address the vulnerabilities.
Clarification New requirement for coding practices to protect against broken authentication and session management. Effective July 1, 2015 Evolving Requirement Increased flexibility by specifying automated technical solution that detects and prevents web-based attacks rather than “web-application firewall.” Added note to clarify that this assessment is not the same as vulnerability scans required at 11.2.
Requirement 7 Reworded testing procedure …
Clarification Updated developer training to include how to avoid common coding vulnerabilities, and to understand how sensitive data is handled in memory.
Clarification 6.5.x 6.5.x Updated requirements to reflect current and emerging coding vulnerabilities and secure coding guidelines. Updated testing procedures to clarify how the coding techniques address the vulnerabilities.
Clarification New requirement for coding practices to protect against broken authentication and session management. Effective July 1, 2015 Evolving Requirement Increased flexibility by specifying automated technical solution that detects and prevents web-based attacks rather than “web-application firewall.” Added note to clarify that this assessment is not the same as vulnerability scans required at 11.2.
Requirement 7 Reworded testing procedure …
Added
p. 8
PCI DSS v2.0 PCI DSS v3.0
Requirement 8 - General Title updated to reflect intent of the requirement (identify and authenticate all access to system components). Updated and reorganized requirements to provide a more holistic approach to user authentication and identification:
Focused 8.1 on user identification Focused 8.2 on user authentication Updated requirements to consider methods of authentication other than passwords Changed “passwords” to “passwords/phrases” where requirement only applies to passwords/phrases Changed “passwords” to “authentication credentials” where requirement applies to any type of authentication credential Clarified that password security requirements apply to accounts used by third party vendors Clarification 8.5.6 8.1.5 Clarified the requirement for remote vendor access applies to vendors who access, support or maintain system components, and that it should be disabled when not in use.
Clarification 8.4.2 8.2.1 Clarified that strong cryptography must be used to render authentication credentials unreadable during transmission and storage.
Clarification …
Requirement 8 - General Title updated to reflect intent of the requirement (identify and authenticate all access to system components). Updated and reorganized requirements to provide a more holistic approach to user authentication and identification:
Focused 8.1 on user identification Focused 8.2 on user authentication Updated requirements to consider methods of authentication other than passwords Changed “passwords” to “passwords/phrases” where requirement only applies to passwords/phrases Changed “passwords” to “authentication credentials” where requirement applies to any type of authentication credential Clarified that password security requirements apply to accounts used by third party vendors Clarification 8.5.6 8.1.5 Clarified the requirement for remote vendor access applies to vendors who access, support or maintain system components, and that it should be disabled when not in use.
Clarification 8.4.2 8.2.1 Clarified that strong cryptography must be used to render authentication credentials unreadable during transmission and storage.
Clarification …
Added
p. 9
PCI DSS v2.0 PCI DSS v3.0 New requirement where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism.
Evolving Requirement 8.5.16 8.7 Aligned language between requirement and testing procedures for consistency. Clarification
Requirement 9 9.1.2 9.1.2 Clarified intent of the requirement is to implement physical and/or logical access controls to protect publically- accessible network jacks.
Clarification 9.2.x 9.2.x Clarified the intent of the requirement to identify, distinguish between, and grant access to onsite personnel and visitors, and that badges are just one option (they are not required).
Clarification New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Evolving Requirement 9.3.x 9.4.x Aligned language between requirement and testing procedures for consistency and …
Evolving Requirement 8.5.16 8.7 Aligned language between requirement and testing procedures for consistency. Clarification
Requirement 9 9.1.2 9.1.2 Clarified intent of the requirement is to implement physical and/or logical access controls to protect publically- accessible network jacks.
Clarification 9.2.x 9.2.x Clarified the intent of the requirement to identify, distinguish between, and grant access to onsite personnel and visitors, and that badges are just one option (they are not required).
Clarification New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Evolving Requirement 9.3.x 9.4.x Aligned language between requirement and testing procedures for consistency and …
Added
p. 10
PCI DSS v2.0 PCI DSS v3.0 10.2.5 10.2.5 Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions and deletions to accounts with root or administrative access.
Evolving Requirement 10.2.6 10.2.6 Enhanced requirement to include stopping or pausing of the audit logs.
Evolving Requirement 10.6 10.6.x Clarified the intent of log reviews is to identify anomalies or suspicious activity, and provided more guidance about scope of daily log reviews. Also allowed more flexibility for review of security events and critical system logs daily and other logs events periodically, as defined by the entity’s risk management strategy.
Requirement 11 11.1.x 11.1.x Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an already- existing testing procedure, for incident response procedures if …
Evolving Requirement 10.2.6 10.2.6 Enhanced requirement to include stopping or pausing of the audit logs.
Evolving Requirement 10.6 10.6.x Clarified the intent of log reviews is to identify anomalies or suspicious activity, and provided more guidance about scope of daily log reviews. Also allowed more flexibility for review of security events and critical system logs daily and other logs events periodically, as defined by the entity’s risk management strategy.
Requirement 11 11.1.x 11.1.x Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an already- existing testing procedure, for incident response procedures if …
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 1.2.1 to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 2.0 to 3.0
Removed
p. 2
Section or Requirement Change Typei Old New General General Throughout Removed specific references to the Glossary as references are generally not provided for other glossary terms.
Clarification General General Attestations of Compliance Attestations of Compliance removed from appendices and separate documents created. References and Appendix titles updated accordingly throughout document.
Clarification General General Introduction and PCI Data Security Standard Overview Added information about the role of PCI DSS in the protection of cardholder data. Updated „High Level Overview‟ graphic to reflect requirement titles. Clarified that the PCI DSS is an assessment tool for use during compliance assessments. Added information about resources available on the PCI SSC website.
Additional Guidance General General PCI DSS Applicability Information Added term “account data” to align with PTS Secure Exchange and Reading of Data (SRED) module. Provided more details on “cardholder data” and “sensitive authentication data.” Clarified that primary …
Clarification General General Attestations of Compliance Attestations of Compliance removed from appendices and separate documents created. References and Appendix titles updated accordingly throughout document.
Clarification General General Introduction and PCI Data Security Standard Overview Added information about the role of PCI DSS in the protection of cardholder data. Updated „High Level Overview‟ graphic to reflect requirement titles. Clarified that the PCI DSS is an assessment tool for use during compliance assessments. Added information about resources available on the PCI SSC website.
Additional Guidance General General PCI DSS Applicability Information Added term “account data” to align with PTS Secure Exchange and Reading of Data (SRED) module. Provided more details on “cardholder data” and “sensitive authentication data.” Clarified that primary …
Removed
p. 3
Section or Requirement Change Typei Old New General General Scope of Assessment for Compliance with PCI DSS Requirements Added “virtualization components” to the definition of “system components.” Clarified that the cardholder data environment is comprised of “people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.” Additional Guidance General General Scope of Assessment for Compliance with PCI DSS Requirements Added detailed paragraph to clarify that the first step of a PCI DSS review is to accurately determine the scope of the assessment, by identifying all locations and flows of cardholder data and ensuring that all such locations are included in the assessment.
Additional Guidance General General Network Segmentation Added clarifications including that segmentation may be achieved through physical or logical means. Minor replacements to some wording to clarify meaning.
Clarification General General Wireless Clarified focus on presence of a WLAN rather than a …
Additional Guidance General General Network Segmentation Added clarifications including that segmentation may be achieved through physical or logical means. Minor replacements to some wording to clarify meaning.
Clarification General General Wireless Clarified focus on presence of a WLAN rather than a …
Removed
p. 5
Section or Requirement Change Typei Old New 1.3.1 1.3.1 Requirement and Testing Procedure Clarified intent of requirement for DMZ to restrict inbound traffic to system components that provide authorized services, protocols, and ports.
Clarification 1.3.3 1.3.3 Requirement and Testing Procedure Clarified that direct connections should not be permitted between the Internet and internal networks.
Clarification 1.3.5 1.3.5 Requirement and Testing Procedure Clarified intent that only authorized outbound traffic is permitted.
Clarification 1.3.6 1.3.6 Testing Procedure Allowed greater flexibility in testing procedure by removing specification of port scanner use.
Clarification 1.3.7 1.3.7 Requirement and Testing Procedure Clarified that requirement applies to any type of cardholder data storage, rather than just databases.
Clarification 1.3.8 1.3.8.a
• Requirement and Testing Procedure Clarified intent to prevent disclosure of private IP addresses to the Internet and ensure that any such disclosure to external entities is authorized. Removed specific references to IP masquerading and use of network address translation (NAT) …
Clarification 1.3.3 1.3.3 Requirement and Testing Procedure Clarified that direct connections should not be permitted between the Internet and internal networks.
Clarification 1.3.5 1.3.5 Requirement and Testing Procedure Clarified intent that only authorized outbound traffic is permitted.
Clarification 1.3.6 1.3.6 Testing Procedure Allowed greater flexibility in testing procedure by removing specification of port scanner use.
Clarification 1.3.7 1.3.7 Requirement and Testing Procedure Clarified that requirement applies to any type of cardholder data storage, rather than just databases.
Clarification 1.3.8 1.3.8.a
• Requirement and Testing Procedure Clarified intent to prevent disclosure of private IP addresses to the Internet and ensure that any such disclosure to external entities is authorized. Removed specific references to IP masquerading and use of network address translation (NAT) …
Removed
p. 6
Section or Requirement Change Typei Old New 2.1.1 2.1.1.a
• Requirement and Testing Procedure Removed content that overlapped with Requirement 4.1.1, to clarify that the intent of this requirement is to ensure that vendor defaults are changed. Separated Testing Procedure 2.1.1 into individual Testing Procedures 2.1.1a through 2.1.1.e. Removed reference to WPA, as this is no longer considered strong encryption on its own.
Clarification 2.2 2.2 Requirement and Testing Procedures Moved examples of system hardening standards from testing procedure to requirement and added ISO as a source for hardening standards.
Clarification 6.2.b 2.2.b Testing Procedure Moved content from former Testing Procedure 6.2.b to 2.2.b to ensure that system configuration standards are updated with vulnerabilities identified in Requirement 6.2.
Clarification 2.2.b 2.2.d Testing Procedure Renumbered Testing Procedure 2.2.b to 2.2.d. Clarification 2.2.1 2.2.1 Requirement Updated requirement to clarify intent of “one primary function per server” and use of virtualization.
Additional Guidance N/A 2.2.1.b …
• Requirement and Testing Procedure Removed content that overlapped with Requirement 4.1.1, to clarify that the intent of this requirement is to ensure that vendor defaults are changed. Separated Testing Procedure 2.1.1 into individual Testing Procedures 2.1.1a through 2.1.1.e. Removed reference to WPA, as this is no longer considered strong encryption on its own.
Clarification 2.2 2.2 Requirement and Testing Procedures Moved examples of system hardening standards from testing procedure to requirement and added ISO as a source for hardening standards.
Clarification 6.2.b 2.2.b Testing Procedure Moved content from former Testing Procedure 6.2.b to 2.2.b to ensure that system configuration standards are updated with vulnerabilities identified in Requirement 6.2.
Clarification 2.2.b 2.2.d Testing Procedure Renumbered Testing Procedure 2.2.b to 2.2.d. Clarification 2.2.1 2.2.1 Requirement Updated requirement to clarify intent of “one primary function per server” and use of virtualization.
Additional Guidance N/A 2.2.1.b …
Removed
p. 7
Section or Requirement Change Typei Old New 3 3 Introductory paragraph Clarified “unprotected PANs should not be sent using end-user messaging technologies such as e- mail and instant messaging.” Clarification 3.1 3.1 Requirement and Testing Procedures Made this a more general requirement, and moved testing procedures formerly in 3.1 to new Requirement and Testing Procedure 3.1.1 (see below).
Clarification N/A 3.1.1, 3.1.1.a
• Requirement and Testing Procedures Renumbered and separated former Testing Procedure 3.1 to individual Testing Procedures 3.1.1.a through 3.1.1.d. Added detail to requirement to align with testing procedures. New Testing Procedure 3.1.1.e to clarify that assessor should verify that stored data does not exceed retention requirements defined in the policy.
Clarification 3.2 3.2 Requirement and Testing Procedures Added note to requirement to clarify that it is permissible for issuers and companies that support issuing processing to store sensitive authentication data when there is a business justification and …
Clarification N/A 3.1.1, 3.1.1.a
• Requirement and Testing Procedures Renumbered and separated former Testing Procedure 3.1 to individual Testing Procedures 3.1.1.a through 3.1.1.d. Added detail to requirement to align with testing procedures. New Testing Procedure 3.1.1.e to clarify that assessor should verify that stored data does not exceed retention requirements defined in the policy.
Clarification 3.2 3.2 Requirement and Testing Procedures Added note to requirement to clarify that it is permissible for issuers and companies that support issuing processing to store sensitive authentication data when there is a business justification and …
Removed
p. 8
Section or Requirement Change Typei Old New 3.4 3.4 Requirement Clarified that requirement applies only to the PAN. Removed note about minimum account information since this has been clarified in the requirement and in the PCI DSS Applicability Table. Clarified requirements if hashing or truncation is used to render PAN unreadable. Added Note to identify risk of hashed and truncation PANs in the same environment, and that additional security controls are required to ensure that original PAN data cannot be reconstructed. Deleted note on the use of compensating controls (since compensating controls may be applicable for most PCI DSS requirements).
Clarification 3.4.d 3.4.d Testing Procedure Clarified that PAN should be “rendered unreadable or removed,” rather than “sanitized or removed,” as “sanitize” is redundant with “remove.” Clarification 3.4.1.c 3.4.1.c Testing Procedure Clarified note to verify that if disk encryption is not used to encrypt removable media, than …
Clarification 3.4.d 3.4.d Testing Procedure Clarified that PAN should be “rendered unreadable or removed,” rather than “sanitized or removed,” as “sanitize” is redundant with “remove.” Clarification 3.4.1.c 3.4.1.c Testing Procedure Clarified note to verify that if disk encryption is not used to encrypt removable media, than …
Removed
p. 9
Section or Requirement Change Typei Old New 3.6 3.6 Requirement and Testing Procedures Moved note from testing procedure to requirement. Clarified in Testing Procedure 3.6.b that service providers should provide key management guidance to customers covering transmission, storage, and update of customer keys (not just storage), in accordance with Sub-Requirements 3.6.1 through 3.6.8. Deleted note about secure transmission of such keys as covered in sub-requirements.
Clarification 3.6.4 3.6.4 Requirement and Testing Procedure Clarified that key changes are required when keys reach the end of their defined cryptoperiod, rather than “at least annually.” Added guidance for industry best practices.
Clarification 3.6.5 3.6.5 Requirement and Testing Procedures Changed wording to clarify that keys should be retired or replaced when the integrity of keys has been weakened, and provided examples. Added note that if retired or replaced keys are retained, they must be securely archived and retained only …
Clarification 3.6.4 3.6.4 Requirement and Testing Procedure Clarified that key changes are required when keys reach the end of their defined cryptoperiod, rather than “at least annually.” Added guidance for industry best practices.
Clarification 3.6.5 3.6.5 Requirement and Testing Procedures Changed wording to clarify that keys should be retired or replaced when the integrity of keys has been weakened, and provided examples. Added note that if retired or replaced keys are retained, they must be securely archived and retained only …
Removed
p. 10
Section or Requirement Change Typei Old New 4.1 4.1, 4.1.a
• 4.1.e Requirement and Testing Procedures Included SSH as an example of a security protocol, removed examples from testing procedure. Separated Testing Procedure 4.1 into individual Testing Procedures 4.1.a through 4.1.e. Clarified in Testing Procedure 4.1.b that trusted keys and/or certificates are required for all types of transmissions, not only SSL/TLS. Clarified in procedure 4.1.c that the protocol must be implemented to use secure configurations.
Clarification 4.1.1 4.1.1 Requirement Updated note regarding use of WEP as of 30 June 2010.
Clarification 4.2 4.2 Requirement and Testing Procedures Changed wording to clarify that unprotected (rather than unencrypted) PANs should never be sent by end-user messaging technologies.
Clarification 5.2 5.2 Requirement and Testing Procedures Clarified that anti-virus mechanisms should be generating audit logs, rather than just being “capable of generating” such logs.
Clarification 6.1 6.1 Requirements Clarified intent to protect system components and …
• 4.1.e Requirement and Testing Procedures Included SSH as an example of a security protocol, removed examples from testing procedure. Separated Testing Procedure 4.1 into individual Testing Procedures 4.1.a through 4.1.e. Clarified in Testing Procedure 4.1.b that trusted keys and/or certificates are required for all types of transmissions, not only SSL/TLS. Clarified in procedure 4.1.c that the protocol must be implemented to use secure configurations.
Clarification 4.1.1 4.1.1 Requirement Updated note regarding use of WEP as of 30 June 2010.
Clarification 4.2 4.2 Requirement and Testing Procedures Changed wording to clarify that unprotected (rather than unencrypted) PANs should never be sent by end-user messaging technologies.
Clarification 5.2 5.2 Requirement and Testing Procedures Clarified that anti-virus mechanisms should be generating audit logs, rather than just being “capable of generating” such logs.
Clarification 6.1 6.1 Requirements Clarified intent to protect system components and …
Removed
p. 10
Clarification 6.3.1 N/A Requirements and Testing Procedures Removed requirements and testing procedures as vulnerability testing formerly in 6.3.1 is addressed in 6.5.1 through 6.5.9.
Section or Requirement Change Typei Old New
• 6.4.4 Requirements and Testing Procedures Moved requirements and testing procedures to 6.4, to clarify intent that requirements apply to test and development environments, and not just development environments.
• 6.3.2 Requirements and Testing Procedures Renumbered requirements and testing procedures due to merging and/or moving of previous requirements.
Clarification 6.3.7 6.3.2 Requirement and Testing Procedures Removed circular reference from note. Consolidated testing procedures (formerly 6.3.7.a and 6.3.7.b) into single procedure 6.3.2.a, to combine „internal‟ and „web‟ applications into single procedure. Removed specific reference to web applications and OWASP Guide to consolidate secure coding requirements for applications in scope, including non-web applications. Renumbered testing procedure previously 6.3.7.c to 6.3.2.b.
Clarification 6.4 6.4 Requirement and Testing Procedures Clarified requirement and testing …
Section or Requirement Change Typei Old New
• 6.4.4 Requirements and Testing Procedures Moved requirements and testing procedures to 6.4, to clarify intent that requirements apply to test and development environments, and not just development environments.
• 6.3.2 Requirements and Testing Procedures Renumbered requirements and testing procedures due to merging and/or moving of previous requirements.
Clarification 6.3.7 6.3.2 Requirement and Testing Procedures Removed circular reference from note. Consolidated testing procedures (formerly 6.3.7.a and 6.3.7.b) into single procedure 6.3.2.a, to combine „internal‟ and „web‟ applications into single procedure. Removed specific reference to web applications and OWASP Guide to consolidate secure coding requirements for applications in scope, including non-web applications. Renumbered testing procedure previously 6.3.7.c to 6.3.2.b.
Clarification 6.4 6.4 Requirement and Testing Procedures Clarified requirement and testing …
Removed
p. 13
Section or Requirement Change Typei Old New 8 8 Introductory Paragraph Added note to align with PA-DSS Requirement 3.2, regarding applicability of unique user ID and secure authentication controls to “user accounts within a point of sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).” Clarification 8.2 8.2 Requirement Added clarification and examples authentication methods.
Clarification 8.3 8.3 Requirement and Testing Procedure Clarified examples of two factor authentication to include Radius “with tokens” and “other technologies that support strong authentication.” Added note clarify intent of two-factor authentication.
Clarification 8.5 8.5 Requirements and Testing Procedures Added term “identification.” Clarification 8.5.2, 8.5.7, 8.5.8, 8.5.13 8.5.2, 8.5.7, 8.5.8, 8.5.13 Requirements and Testing Procedures Added “authentication” to allow for more flexibility for companies using other authentication mechanisms outside of passwords.
Clarification 8.5.3 8.5.3 Requirement and Testing Procedures Included “password resets” as …
Clarification 8.3 8.3 Requirement and Testing Procedure Clarified examples of two factor authentication to include Radius “with tokens” and “other technologies that support strong authentication.” Added note clarify intent of two-factor authentication.
Clarification 8.5 8.5 Requirements and Testing Procedures Added term “identification.” Clarification 8.5.2, 8.5.7, 8.5.8, 8.5.13 8.5.2, 8.5.7, 8.5.8, 8.5.13 Requirements and Testing Procedures Added “authentication” to allow for more flexibility for companies using other authentication mechanisms outside of passwords.
Clarification 8.5.3 8.5.3 Requirement and Testing Procedures Included “password resets” as …
Removed
p. 17
Section or Requirement Change Typei Old New 11.2 11.2, 11.2.1
• Requirements and Testing Procedures Separated and renumbered internal & external scan requirements formerly 11.2 into individual Sub-Requirements and Testing Procedures 11.2.1 through 11.2.3. Moved note from former Testing Procedure 11.2.b to Requirement 11.2 to clarify that four internal and external scans must be verified.
Clarification 11.2.a 11.2.1.a
• Testing Procedure Clarified that the internal scan process includes rescans until passing results are obtained, or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved. Clarified that internal scans should be performed by qualified parties.
Clarification 11.2.b 11.2.2.a
• Testing Procedures Replaced “PCI Security Scanning Procedures” with “ASV Program Guide Requirements.” Clarified that ASVs are approved by the PCI Security Standards Council (PCI SSC).
Clarification 11.2.c 11.2.3.a
• Testing Procedures Clarified requirements for internal & external scans to include rescans until high-risk vulnerabilities are addressed, and to be performed …
• Requirements and Testing Procedures Separated and renumbered internal & external scan requirements formerly 11.2 into individual Sub-Requirements and Testing Procedures 11.2.1 through 11.2.3. Moved note from former Testing Procedure 11.2.b to Requirement 11.2 to clarify that four internal and external scans must be verified.
Clarification 11.2.a 11.2.1.a
• Testing Procedure Clarified that the internal scan process includes rescans until passing results are obtained, or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved. Clarified that internal scans should be performed by qualified parties.
Clarification 11.2.b 11.2.2.a
• Testing Procedures Replaced “PCI Security Scanning Procedures” with “ASV Program Guide Requirements.” Clarified that ASVs are approved by the PCI Security Standards Council (PCI SSC).
Clarification 11.2.c 11.2.3.a
• Testing Procedures Clarified requirements for internal & external scans to include rescans until high-risk vulnerabilities are addressed, and to be performed …
Modified
p. 20 → 2
Table 1: Change Types Change Type Definition Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
Modified
p. 20 → 2
Additional guidance Explanatory Explanations and/or definitions to increase understanding or provide further information on a particular topic.
Additional guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Modified
p. 20 → 2
Evolving Requirement Enhancements Changes to ensure that the standards are up to date with emerging threats and changes in the market.
Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market.