Document Comparison
PCI-Secure-Software-Standard-Summary-of-Changes-v1_0-to-v1_1.pdf
→
PCI-Secure-Software-Standard-Summary-of-Changes-v1_1-to-v1_2.pdf
19% similar
5 → 7
Pages
1107 → 1621
Words
11
Content Changes
Content Changes
11 content changes. 3 administrative changes (dates, page numbers) hidden.
Added
p. 2
New or evolving content Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. May consist of new, modified, or removed control objectives or test requirements.
Structure or format Reorganization of content including combining, separating, renaming, or renumbering sections or requirements to align content.
Clarification or guidance Related Publications Added new sub-section to identify other PCI standards and supporting documents referenced in the Secure Software Standard.
Clarification or guidance Stakeholder Roles and Responsibilities Added new sub-section to describe the primary stakeholder roles and responsibilities for managing, maintaining, and enforcing the PCI Secure Software Standard and Program.
PCI Secure Software Requirements Overview of PCI Secure Software Standard Renamed section to clarify its purpose. Clarification or guidance Scope of Requirements Scope of Security Requirements Renamed and updated section to further clarify the expected scope of a Secure Software Assessment.
Clarification or guidance Requirements Overview Requirement Modules …
Structure or format Reorganization of content including combining, separating, renaming, or renumbering sections or requirements to align content.
Clarification or guidance Related Publications Added new sub-section to identify other PCI standards and supporting documents referenced in the Secure Software Standard.
Clarification or guidance Stakeholder Roles and Responsibilities Added new sub-section to describe the primary stakeholder roles and responsibilities for managing, maintaining, and enforcing the PCI Secure Software Standard and Program.
PCI Secure Software Requirements Overview of PCI Secure Software Standard Renamed section to clarify its purpose. Clarification or guidance Scope of Requirements Scope of Security Requirements Renamed and updated section to further clarify the expected scope of a Secure Software Assessment.
Clarification or guidance Requirements Overview Requirement Modules …
Added
p. 6
Section Change Change Type v1.1 v1.2 3.1.c 3.2.c 4.2.c 4.2.d 6.2.d 6.2.e 7.2.c 7.3.a 8.3.b 11.2.a A.2.3.d 3.1.c 3.2.c 4.2.c 4.2.e 6.2.d 6.2.e 7.2.a 7.3.a 8.3.c 9.1.g 11.2.b A.2.2.a A.2.2.b A.2.3.d Added new test requirements, new tests to existing test requirements, or moved parts of existing test requirements into new test requirements to clarify intent.
New or evolving content 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.c 7.3.a A.2.2.b 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.a 7.3.a A.2.2.d Expanded the scope of existing test requirements to clarify intent.
New or evolving content 3.1 3.4 6.1 8.4 9.1 A.2.3 3.1 3.4 6.1 8.4 9.1 A.2.3 Updated guidance to provide additional details, clarify concepts, or for other clarification purposes.
Clarification or guidance 7.1 7.1.a 7.2 7.3 7.1 7.1.a 7.2 7.3 Updated control objectives and test requirements to replace references to “approved” cryptographic algorithms, key management processes, and random number generation algorithms and libraries with …
New or evolving content 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.c 7.3.a A.2.2.b 1.1.d 1.1.e 1.1.f 1.1.g 1.1.h 1.2.b 3.4.a 7.2.a 7.3.a A.2.2.d Expanded the scope of existing test requirements to clarify intent.
New or evolving content 3.1 3.4 6.1 8.4 9.1 A.2.3 3.1 3.4 6.1 8.4 9.1 A.2.3 Updated guidance to provide additional details, clarify concepts, or for other clarification purposes.
Clarification or guidance 7.1 7.1.a 7.2 7.3 7.1 7.1.a 7.2 7.3 Updated control objectives and test requirements to replace references to “approved” cryptographic algorithms, key management processes, and random number generation algorithms and libraries with …
Added
p. 7
Section Change Change Type v1.1 v1.2 Module C
• Web Software Requirements Added a new requirements module for payment software that uses Internet technologies, protocols, and languages to initiate or support electronic payment transactions.
• Web Software Requirements Added a new requirements module for payment software that uses Internet technologies, protocols, and languages to initiate or support electronic payment transactions.
Modified
p. 1
Payment Card Industry (PCI) Software Security Framework Summary of Changes from Secure Software Requirements and Assessment Procedures Version 1.0 to 1.1
Payment Card Industry (PCI) Software Security Framework Summary of Changes from Secure Software Requirements and Assessment Procedures Version 1.1 to 1.2
Removed
p. 2
Table 1: Change Types 1Change Type Definition Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market.
Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market.
Modified
p. 2
Introduction This document provides a summary of changes to the PCI Software Security Framework
• Secure Software Requirements and Assessment Procedures(“Secure Software Standard”) from v1.0 to v1.1. Table 1 provides an overview of the types of changes. Table 2 summarizes the material changes found in the Secure Software Standard v1.1.
• Secure Software Requirements and Assessment Procedures
Introduction This document provides a summary of changes to the PCI Software Security Framework
• Secure Software Requirements and Assessment Procedures (“PCI Secure Software Standard”) from v1.1 to v1.2. Table 1 provides an overview of the types of changes. Table 2 summarizes the material changes in the Secure Software Standard v1.2.
• Secure Software Requirements and Assessment Procedures (“PCI Secure Software Standard”) from v1.1 to v1.2. Table 1 provides an overview of the types of changes. Table 2 summarizes the material changes in the Secure Software Standard v1.2.
Modified
p. 2
Table 1: Change Types Change Type Definition Clarification or guidance Updates to language, explanations, definitions, guidance, and/or instructions to increase understanding or provide further information or guidance on a particular topic.
Removed
p. 3
Clarification Various Various Added clarification throughout the document to differentiate software vendors from other types of vendors.
Clarification Various Various Added hyperlinks to all internal references to other sections, control objectives and test requirements.
Clarification Various Various Updated all references to “vendor security guidance” to “software vendor implementation guidance” to align with changes to Control Objective 12.
PCI Secure Software Requirements Added “PCI” to Secure Software Requirements section title.
Clarification Secure Software Requirements Requirements Overview Moved descriptions of Secure Software Core Requirements and Module A
• Account Data Protection sections to the Requirements Overview section.
Clarification Security Objectives Requirements Overview Updated section title and content to remove the concept of “security objectives” as a formal document construct. Added an overview of the main requirements sections to explain how requirements are organized within the document.
Clarification N/A Test Platform Added a new sub-section to explain the purpose and use of a “Test Platform”.
Additional guidance Secure Software Core Requirements …
Clarification Various Various Added hyperlinks to all internal references to other sections, control objectives and test requirements.
Clarification Various Various Updated all references to “vendor security guidance” to “software vendor implementation guidance” to align with changes to Control Objective 12.
PCI Secure Software Requirements Added “PCI” to Secure Software Requirements section title.
Clarification Secure Software Requirements Requirements Overview Moved descriptions of Secure Software Core Requirements and Module A
• Account Data Protection sections to the Requirements Overview section.
Clarification Security Objectives Requirements Overview Updated section title and content to remove the concept of “security objectives” as a formal document construct. Added an overview of the main requirements sections to explain how requirements are organized within the document.
Clarification N/A Test Platform Added a new sub-section to explain the purpose and use of a “Test Platform”.
Additional guidance Secure Software Core Requirements …
Modified
p. 3
Section Change Type1 Various Various Minor updates to address errata, clarify intent, and support the addition of the Terminal Software Module.
Section Change Change Type v1.1 v1.2 General Changes Throughout Throughout Minor updates to address errata, clarify intent, standardize language, and support the addition of the Web Software Module.
Modified
p. 3
Clarification Secure Software Requirements
Clarification or guidance
Removed
p. 4
Section Change Type1 Updated references to software “installation” to include “initialization, or first use” to account for scenarios where software is delivered (e.g., via a service) rather than installed.
Clarification 2.1.b, 2.1.c 3.4.a, 3.4.c 3.5.a, 3.5.c 7.1.a, 7.1.b 9.1.a, 9.1.c, 9.1.d 2.1.b, 2.1.c 3.4.a, 3.4.c 3.5.a, 3.5.c 7.1.a, 7.1.b 9.1.a, 9.1.c, 9.1.d Removed unnecessary or improper internal references.
Clarification Changed reference in notes from “threat model” to “threat information.” Clarification 2.3.a, 2.3.d, 2.3.e 3.1.a, 3.1.b 3.2.a, 3.2.b 5.1.a, 5.3.a 2.3.a, 2.3.d, 2.3.e 3.1.a, 3.1.b 3.2.a, 3.2.b 5.1.a, 5.3.a Clarified language in the notes in test requirements with internal references to other control objectives.
Clarification 3.4 3.4 Removed improper reference to ISO 27038 in guidance.
Clarification 3.6.b 3.6.b Updated incorrect test requirement reference from 3.2.a to 3.6.a.
Section Change Type1 4.1 4.1 Updated the note in Control Objective 4.1 to clarify that it should be validated at the same time as Control Objective 10.1 since it …
Clarification 2.1.b, 2.1.c 3.4.a, 3.4.c 3.5.a, 3.5.c 7.1.a, 7.1.b 9.1.a, 9.1.c, 9.1.d 2.1.b, 2.1.c 3.4.a, 3.4.c 3.5.a, 3.5.c 7.1.a, 7.1.b 9.1.a, 9.1.c, 9.1.d Removed unnecessary or improper internal references.
Clarification Changed reference in notes from “threat model” to “threat information.” Clarification 2.3.a, 2.3.d, 2.3.e 3.1.a, 3.1.b 3.2.a, 3.2.b 5.1.a, 5.3.a 2.3.a, 2.3.d, 2.3.e 3.1.a, 3.1.b 3.2.a, 3.2.b 5.1.a, 5.3.a Clarified language in the notes in test requirements with internal references to other control objectives.
Clarification 3.4 3.4 Removed improper reference to ISO 27038 in guidance.
Clarification 3.6.b 3.6.b Updated incorrect test requirement reference from 3.2.a to 3.6.a.
Section Change Type1 4.1 4.1 Updated the note in Control Objective 4.1 to clarify that it should be validated at the same time as Control Objective 10.1 since it …