With the new PCI DSS standard due this fall, there is much speculation as to what will be changed, what will be removed, and more importantly, what new technologies will be added. Typically, the PCI standards council follows a 24-month lifecycle for changes to the PCI standard. With the latest (version 1.2) coming out on October 1, 2010, we know that the new standard is close. Based on evidence from the PCI standards website, they are currently in Stage 4 (New Version/Revision and Final Review ) until August 31, 2010. At that point, there will be a community meeting to discuss the new version/revision by September 30, 2010. After that, we should expect October 1, 2010 to be the go-live date for the next revision, whether that be 1.3 or 2.0.
There is much hype around what the changes will be incorporated into this years’ revision. Much has changed since that update, including increased virtualization and cloud implementations, so the hope is that these technologies will not only get addressed, but get the fair amount of attention that they deserve.
Here are some of the topics that I expect to be announced with the upcoming release:
- Virtualization – With the increased amount of virtualization being used today, and the question of whether or not a virtualized environment can be PCI compliant, I think this is a necessity in the next version. Virtualization is hot and only getting hotter. How PCI will work into virtualization is anyone’s guess, but there are lots of thoughts. One example that I heard is that different security zone virtual machines will not be able to reside on the same hypervisor, so only similar security level servers be allowed on the same hypervisor. This way, if there is a web server exploited and hypervisor access granted, the intruder will not be able to get into the protected data if the VM doesn’t exist on that hypervisor.
- Hypervisor protection – This one kind of goes hand and hand with virtualization, but I believe it’s important enough to stand by itself. There are many questions about how to protect this resource, if it is necessary, and by what means? So things like firewalling, segmentation, IPS, and such have been thrown into the mix.
- Cloud implementations – This one is a big one. Many ask if a PCI compliant configuration can be compliant on or with a cloud solution and, if so, does it have to be in a private cloud, or could it be in a public or hybrid cloud? The definition of cloud will be VERY important here. With cloud implementations growing hourly, hopefully this will be a key takeaway from the new PCI DSS standard.
- Web application firewalling – I hope this gets addressed a little more in-depth, since it seems kind of out of place in the current spec. It is often a questionable item on how to implement to both meet the requirement and be a value to the environment.
- Segmentation – I also hope this gets some more definition. Obviously, segmentation is key, and very important. But the currently standard needs a little more detail in the exact meaning.
As you can see, this is going to be a very busy fall for the PCI standards council as everyone eagerly awaits the upcoming draft. I, for one, look forward to its updates, additions, and clarifications, and also hope all the above will be mentioned in some detail.
![[img]](/imagesb/yellow_star.jpg)
Share this article:
