Fwd: [SECURITY] PCI 2.0 Compliance Timeline

[Dave Koontz <dkoontz () MBC EDU>]

All, I just wanted to share the personal input I received from a security
vendor monitoring this list, who has asked to remain anonymous.

It's so refreshing to see vendors participate in helpful ways, rather than
using our list as a sales lead or spam list. I'd like to applaud this
particular anonymous vendors support!  I know that they are there if *I*
need them, and  they did not make this a sales pitch to the entire group.

I wish all vendors worked this way!


On Wed, Jan 19, 2011 at 3:38 PM, VENDOR  wrote:

>  Dave,
>
> I've added my comments in-line with you text below.  Please let me know if
> you'd like me to explain my answers further.  If you want to share my
> comments with the list, please anonymize my name and contact info.
>
> Hopefully this info will be helpful to you.
>
> To give you a little background on me, I'm a QSA who works for a company
> that does PCI engagements for higher educational institutions.  Prior to
> joining this team, I was a network and security analyst at a large,
> public research institution of higher education, who helped get that
> organization compliant with the PCI DSS.
>
>  ------------------------------
>  *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Dave Koontz
> *Sent:* Monday, January 17, 2011 7:35 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] PCI 2.0 Compliance Timeline
>
>  All, we just renewed our PCI compliance survey in mid December, (only a
> few weeks ago).  Now our banks QSA is saying we must now go through PCI 2.0
> survey.   From various forum readings, I thought that new 2.0 was mostly  a
> clarification of the existing surveys,  and that re-certification to the 2.0
> version was not required until the next renewal cycle.
>
>
> If you just completed (and submitted) your SAQ in mid-December, you won't
> have to validate your compliance again until mid-December this year--and you
> can still use 1.2.1 for your re-validation this year as well.  When the PCI
> Council announced the new three-year period for updating the PCI DSS, they
> stated that they will grandfather the exiting standard for one year after
> the new standard is announced.  From your perspective, your PCI compliance
> efforts started before 01/01/11, so you are eligible to validate with 1.2.1
> again in mid-December of 2011 as well.  You don't *have* to validate to 2.0
> until mid-December of 2012.  Most merchants will decide to start validating
> to 2.0 this year when they re-validate, but it's not a requirement.
>
> If your bank's QSA stated that you *have* to validate to 2.0 now, please
> have him/her send you the contractual obligation that you have to do so in
> writing (the only way that he/she has any ability to make you submit a new
> SAQ 2.0 is if the bank's policy requires it--the PCI council will tell you
> what I've told you above).
>
> The only clarifying factor missing here is when your organization signed
> the attestation of compliance--if the signature is from this calendar year,
> you've used your grandfathered 1.2.1 SAQ, if the signature is from last
> calendar year, you can use the grandfathered 1.2.1 again this year.
>
>
> The new SAQ C-VT is very interesting.  The PCI Council finally addresses
> the Virtual Terminal services most banks sell, but limits the rules to
> single PC merchants from quarterly scans, and that is only if they use a
> notebook PC.  Hard wired single PC merchants still require scans?
>
>
> As for the whole laptop/desktop issue with SAQ C-VT, this is the first time
> I'm hearing about a difference.  I read the open mic write-up from Walt,
> but, I can't imagine that the PCI council is really making a distinction
> between a laptop and a desktop--although, I will admit that I'm not an
> authority here.  I agree, though, it's pretty bad that you don't need
> quarterly scanning.  I'd always recommend a quarterly scan--even with this
> SAQ that doesn't require it!
>
>
> What about a campus that uses NAT / DHCP with leases of mere hours?  That
> would seem to satisfy the device moves to different IP addresses of SAC
> C-VT, , what should it matter if it’s one or a hundred devices that can do
> this?
>
>
> I don't think the IP address is the issue here--the issue is regarding what
> LAN you are on at the time of using the virtual terminal (well, actually, it
> is).  What we're looking for here is ensuring that the computer acting as a
> virtual terminal needs to be isolated from the rest of the network.  The
> computer that is acting as a virtual terminal shouldn't be receiving DHCP
> from your standard/central DHCP server anyway, as this would violate the,
> "only one machine on this LAN" requirement anyway.
>
>
> Can anyone shed some light one way or the other.  Below are a couple of
> sites that raise questions in my mind:
>
>
>
>
> http://treasuryinstitutepcidss.blogspot.com/2010/12/pci-open-mic-session.html
>
>
>
>
> http://blog.403labs.com/post/2056608448/saq-c-eligibility-a-comparison-of-saq-c-v1-2-saq-c
>
>
>
>
>
>
>
> Thanks in advance!