Summary of new PCI-DSS v.1.2 released last Monday
Thursday, August 21st, 2008We are still about a month and a half before the official 1.2 version of the PCI Data Security Standard is officially published. A couple of days ago a summary of the changes was published in the official PCI Security Standards Council, and so far (this is just a summary) no dramatic changes were presented.
Whenever a new version of this kind of standards is published, different questions appear. For example, what happens with companies that are currently on the certification process? Well, these companies have nothing to worry about, since the PCI Security Standards council states that if a company is under the assessment process they can use the v.1.1 of the standard, even if they finish the assessment process after the official publication of version 1.2 in October.
For us working in the security area, in a snapshot some changes seemed rather obvious, some clarified “blurry” aspects of the standard, but it seems (can’t really say until the official 1.2 is published) to be still some ambiguity out there. I must say that I’m personally disappointed that -in this summary- no changes were mentioned about the needed integrity of the logs. The previous 1.1 version of the standard mention that logs “should be protected against unauthorized modifications”, which makes me wonder: what kind of authorized modification should be done to a log file? Aren’t log files meant to be logging exactly what happened?
More comments will be done as soon as the official PCI-DSS v.1.2 is released.