Educause Security Discussion mailing list archives
Fwd: [SECURITY] PCI 2.0 Compliance Timeline
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 19 Jan 2011 19:17:22 -0500
All, I just wanted to share the personal input I received from a security vendor monitoring this list, who has asked to remain anonymous. It's so refreshing to see vendors participate in helpful ways, rather than using our list as a sales lead or spam list. I'd like to applaud this particular anonymous vendors support! I know that they are there if *I* need them, and they did not make this a sales pitch to the entire group. I wish all vendors worked this way! On Wed, Jan 19, 2011 at 3:38 PM, VENDOR wrote:
Dave, I've added my comments in-line with you text below. Please let me know if you'd like me to explain my answers further. If you want to share my comments with the list, please anonymize my name and contact info. Hopefully this info will be helpful to you. To give you a little background on me, I'm a QSA who works for a company that does PCI engagements for higher educational institutions. Prior to joining this team, I was a network and security analyst at a large, public research institution of higher education, who helped get that organization compliant with the PCI DSS. ------------------------------ *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Dave Koontz *Sent:* Monday, January 17, 2011 7:35 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] PCI 2.0 Compliance Timeline All, we just renewed our PCI compliance survey in mid December, (only a few weeks ago). Now our banks QSA is saying we must now go through PCI 2.0 survey. From various forum readings, I thought that new 2.0 was mostly a clarification of the existing surveys, and that re-certification to the 2.0 version was not required until the next renewal cycle. If you just completed (and submitted) your SAQ in mid-December, you won't have to validate your compliance again until mid-December this year--and you can still use 1.2.1 for your re-validation this year as well. When the PCI Council announced the new three-year period for updating the PCI DSS, they stated that they will grandfather the exiting standard for one year after the new standard is announced. From your perspective, your PCI compliance efforts started before 01/01/11, so you are eligible to validate with 1.2.1 again in mid-December of 2011 as well. You don't *have* to validate to 2.0 until mid-December of 2012. Most merchants will decide to start validating to 2.0 this year when they re-validate, but it's not a requirement. If your bank's QSA stated that you *have* to validate to 2.0 now, please have him/her send you the contractual obligation that you have to do so in writing (the only way that he/she has any ability to make you submit a new SAQ 2.0 is if the bank's policy requires it--the PCI council will tell you what I've told you above). The only clarifying factor missing here is when your organization signed the attestation of compliance--if the signature is from this calendar year, you've used your grandfathered 1.2.1 SAQ, if the signature is from last calendar year, you can use the grandfathered 1.2.1 again this year. The new SAQ C-VT is very interesting. The PCI Council finally addresses the Virtual Terminal services most banks sell, but limits the rules to single PC merchants from quarterly scans, and that is only if they use a notebook PC. Hard wired single PC merchants still require scans? As for the whole laptop/desktop issue with SAQ C-VT, this is the first time I'm hearing about a difference. I read the open mic write-up from Walt, but, I can't imagine that the PCI council is really making a distinction between a laptop and a desktop--although, I will admit that I'm not an authority here. I agree, though, it's pretty bad that you don't need quarterly scanning. I'd always recommend a quarterly scan--even with this SAQ that doesn't require it! What about a campus that uses NAT / DHCP with leases of mere hours? That would seem to satisfy the device moves to different IP addresses of SAC C-VT, , what should it matter if it’s one or a hundred devices that can do this? I don't think the IP address is the issue here--the issue is regarding what LAN you are on at the time of using the virtual terminal (well, actually, it is). What we're looking for here is ensuring that the computer acting as a virtual terminal needs to be isolated from the rest of the network. The computer that is acting as a virtual terminal shouldn't be receiving DHCP from your standard/central DHCP server anyway, as this would violate the, "only one machine on this LAN" requirement anyway. Can anyone shed some light one way or the other. Below are a couple of sites that raise questions in my mind: http://treasuryinstitutepcidss.blogspot.com/2010/12/pci-open-mic-session.html http://blog.403labs.com/post/2056608448/saq-c-eligibility-a-comparison-of-saq-c-v1-2-saq-c Thanks in advance!
Current thread:
- PCI 2.0 Compliance Timeline Dave Koontz (Jan 17)
- Message not available
- Message not available
- Fwd: [SECURITY] PCI 2.0 Compliance Timeline Dave Koontz (Jan 19)
- Message not available
- Message not available