Preview Of PCI DSS 1.3 – Oops 2.0 – Released

The PCI Security Standards Council released the summary of changes for the new version of PCI — 2.0.  Merchants, you can quit holding your breath as this document is a yawner — as we’ve long suspected it would be.  In fact, to call it 2.0 is a real stretch as it seems to be filled — as promised by earlier briefings with the PCI SSC — merely with additional guidance and clarifications. Jeff, over at the PCI Guru, has a great review of the summary doc so I won’t try to duplicate his detailed analysis. The most helpful part of the doc is an acknowledgement that more guidance on virtualization — the one function per server stuff — will finally be addressed.

Suffice it to say, it doesn’t look good for all those DLP vendors looking for Santa Compliance to leave them a little gift under the tree this year. I’ve been hearing hopeful rumors (that I assume start within the bowels of DLP vendor marketing departments) that PCI would require DLP in the next version.  Looks like it’s going to be a three year wait to see if Santa will finally stop by their house.

Remember that this is a summary of changes so there’s not that much meat yet. The actual standard will be pre-released early next month with the final standard coming out after the European Community Meeting in October.

Comments

Santa Compliance?

Funny stuff!

As an FYI to readers, even though the PCI DSS doesn't mandate the use of DLP, DLP does seem to be used quite a bit to help solve certain aspects of PCI compliance. About 75% of Forrester clients interested in DLP are solving some kind of "toxic data" problem: PCI, PHI, PII etc.

At least Santa visits once a years...

As I wasn't expecting any compliance-related presents under my tree this year, I won't complain about the content but I do wonder at the three year gap between revisions. I see that mid-version guidance may be offered, but is three years really the kind of time-window to be setting for responding to changes in the security landscape?

SIEM Compliance

I am a research student and would like your insights to the following quetions as compliance take the lead in the security market today.
1. Can any Security Information and Event Management (SIEM) solution guarantee 100% compliance to all regulatory standards (e.g. HIPAA, PCI DSS, SOX, etc) today. If yes or no can you please support your answer.
2. Are there any prerequisites in order to achieve full compliance potential of an SIEM system? If yes or no can you please support your answer.