Today, the PCI Security Standards Council announced several changes to the PCI DSS standard that directly apply to file transfer applications. These include:
- Adding references to SSH as as a secure protocol (SSL/TLS was already mentioned).
- Explicit consideration of virtual machines and virtualization hypervisors as “in scope” during PCI audits. (As predicted by my March blog post.)
- Changing key rotation requirements from “at least annually” to “based on industry best practices and guidelines”
- Splitting some identity and authentication requirements for users, “non-consumers” and administrators.
- Increasing the importance of security around accurate timekeeping, especially as it pertains to audit logs. (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)
The council also gave notice that a process to classify and rank vulnerabilities by risk valuations (e.g., value of asset times exposure) would be required by June 30, 2012 – details to come later.
These changes were among the many announced by Technical Working Group Chairperson Emma Sutcliff during the general sessions at the PCI Council Community Meeting in Orlando, Florida. Complete written lists of all changes and full copies of the proposed v.2.0 PCI DSS standard were also shared with all PCI Council Community members, including Ipswitch and approximately fifty of Ipswitch’s customers in attendance at the conference.
In the next few weeks these documents will be finalized and released and implementation of the PCI DSS v.2.0 standard will begin with Reports of Compliance (“ROCs”) filed on or January 1, 2011. Additional PCI Council draft documents on emerging technologies are also expected by October 5 of this year (and periodically after that); as these become available I will continue to share what I can about them with the wider file transfer community.
Jonathan Lampe is VP, Product Management, of Ipswitch File Transfer. He developed the first editions of the MOVEit managed file transfer software and continues to guide the File Transfer division as it continues to pursue its mission of moving your most valuable data. He holds a computer science degree and an operations degree from Northern Illinois University, an MBA from the University of Wisconsin-Madison and two security certifications: ISC2's CISSP and SANS' System and Network Auditor.
One Response to “PCI DSS Changes Applicable to File Transfer Announced”
Leave a Reply