Yesterday, the PCI Standards Council posted a document highlighting some of the upcoming changes to the PCI DSS. That document can be found here.
The document is a “teaser” to what is expected to be released in the October timeframe. Two of the roughly four pages speak to the standards development process and feedback cycle. In addition, the Council itself notes that the updates" are relatively straightforward and do not introduce significant changes."
In terms of substantive previews, the following are worth noting:
- Additional guidance is expected for cardholder environment definition and data flow mapping (i.e. scoping)
- Guidance will be provided on virtualization (emanating from the Special Interest Group on this very topic) including how virtual components are defined "in-scope" as well as guidance on specific controls that were traditionally focused on physical hosts.
- Updates to requirement 3.6 for key management to provide additional flexibility for new technologies and evolving ways to manage encryption keys.
- Updates to vulnerability management and application security to reflect the evolving nature of those topics.
As with the last update, the devil will be in the details. The new standards are expected to be published in October and will become effective for all assessments performed starting in January 2011. At this time, there is no reason to believe that these changes will significantly impact the scope and cost of onsite assessments.