The Choice is No Longer Yours – Changes to PCI

For those that aren’t keeping track, June 30, 2012 is a day to mark on your calendar.  Not because of any special anniversaries or birthdays (although if yours does fall on that day then Congratulations!).  June 30 is the day that we can add one more validation point to our compliance lists from the PCI Data Security Standard.  The testing procedure for requirement 6.2 will transition the risk ranking assignment to new vulnerabilities from optional to mandatory.  And yes, this does impact those filling out a Self-Assessment Questionnaire (SAQ) as well, but only the SAQ D. Specifically the requirement’s reporting detail reads: If risk ranking is assigned to new vulnerabilities, briefly describe the observed process for assigning a risk ranking, including how critical, highest risk vulnerabilities are ranked as “High”* (Note: the ranking of vulnerabilities is considered a best practice until June 30, 2012, after which it becomes a requirement.) * The reporting detail for “Observe process, action state” is not required until June 30, 2012 Personally, I think this is a good idea as it actually gets you thinking about the impacts of the vulnerabilities specific to your organization.  It also allows you to downgrade the vendor supplied criticality should you have existing controls in place to lessen the vulnerability realization.  A common example is having to apply a patch to a web server on a very restricted network (full Access Control Lists, etc.) because the vendor rated it critical (the patch fixed an exploit for remote code execution).  The critical rating is perfectly valid for public facing websites but not as severe for servers that don’t interact with the Internet. For those that don’t currently have an established risk assessment process in place (or those that could use some tweaking), the following blog posts might be helpful; “The Annual Struggle with Assess Risk” and “Measuring Security Risks Consistently.”  Seems like we planned those other blogs, doesn’t it?