PCI 2.0 Compliance Timeline

[Dave Koontz <dkoontz () MBC EDU>]

All, we just renewed our PCI compliance survey in mid December, (only a few
weeks ago).  Now our banks QSA is saying we must now go through PCI 2.0
survey.   From various forum readings, I thought that new 2.0 was mostly  a
clarification of the existing surveys,  and that re-certification to the 2.0
version was not required until the next renewal cycle.



The new SAQ C-VT is very interesting.  The PCI Council finally addresses the
Virtual Terminal services most banks sell, but limits the rules to single PC
merchants from quarterly scans, and that is only if they use a notebook PC.
Hard wired single PC merchants still require scans?



What about a campus that uses NAT / DHCP with leases of mere hours?  That
would seem to satisfy the device moves to different IP addresses of SAC
C-VT, , what should it matter if it’s one or a hundred devices that can do
this?



Can anyone shed some light one way or the other.  Below are a couple of
sites that raise questions in my mind:



http://treasuryinstitutepcidss.blogspot.com/2010/12/pci-open-mic-session.html



http://blog.403labs.com/post/2056608448/saq-c-eligibility-a-comparison-of-saq-c-v1-2-saq-c







Thanks in advance!