Today, the PCI Security Standards Council announced several changes to the PCI DSS standard that directly apply to file transfer applications. These include:
- Adding references to SSH as as a secure protocol (SSL/TLS was already mentioned).
- Explicit consideration of virtual machines and virtualization hypervisors as “in scope” during PCI audits. (As predicted by my March blog post.)
- Changing key rotation requirements from “at least annually” to “based on industry best practices and guidelines”
- Splitting some identity and authentication requirements for users, “non-consumers” and administrators.
- Increasing the importance of security around accurate timekeeping, especially as it pertains to audit logs. (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)
The council also gave notice that a process to classify and rank vulnerabilities by risk valuations (e.g., value of asset times exposure) would be required by June 30, 2012 – details to come later.
These changes were among the many announced by Technical Working Group Chairperson Emma Sutcliff during the general sessions at the PCI Council Community Meeting in Orlando, Florida. Complete written lists of all changes and full copies of the proposed v.2.0 PCI DSS standard were also shared with all PCI Council Community members, including Ipswitch and approximately fifty of Ipswitch’s customers in attendance at the conference.
In the next few weeks these documents will be finalized and released and implementation of the PCI DSS v.2.0 standard will begin with Reports of Compliance (“ROCs”) filed on or January 1, 2011. Additional PCI Council draft documents on emerging technologies are also expected by October 5 of this year (and periodically after that); as these become available I will continue to share what I can about them with the wider file transfer community.