The Immutable kBlog: thoughts on data integrity

We are still about a month and a half before the official 1.2 version of the PCI Data Security Standard is officially published. A couple of days ago a summary of the changes was published in the official PCI Security Standards Council, and so far (this is just a summary) no dramatic changes were presented.

Whenever a new version of this kind of standards is published, different questions appear. For example, what happens with companies that are currently on the certification process? Well, these companies have nothing to worry about, since the PCI Security Standards council states that if a company is under the assessment process they can use the v.1.1 of the standard, even if they finish the assessment process after the official publication of version 1.2 in October.

For us working in the security area, in a snapshot some changes seemed rather obvious, some clarified “blurry” aspects of the standard, but it seems (can’t really say until the official 1.2 is published) to be still some ambiguity out there. I must say that I’m personally disappointed that -in this summary- no changes were mentioned about the needed integrity of the logs. The previous 1.1 version of the standard mention that logs “should be protected against unauthorized modifications”, which makes me wonder: what kind of authorized modification should be done to a log file? Aren’t log files meant to be logging exactly what happened?

More comments will be done as soon as the official PCI-DSS v.1.2 is released.

Tags: PCI DSS

This entry was posted on Thursday, August 21st, 2008 at 10:07 am and is filed under PCI. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.