PCI V2. How does it affect you?

December 12th, 2010 by Bob Munson

The new version 2.0 of PCI DSS arrived in October 2010 and much of the worry has subsided. This new version does not add much to the overhead of compliance and in some cases its clarifications can make things easier.

The changes come into effect in Jan 2011 although companies can elect to comply with PCI-DSS v1.2.1 until December 2011

Many of the changes are clarifications, things like defining some ports that it considers insecure, that a VM counts as a server and not the hypervisor. Things that at first may seem obvious but have had the paranoid in a panic or the carefree ignoring real risks.

Risk assessment comes into this version of the standard too.  They say things like, "An organization may consider applying a risk-based approach to prioritize their patch installations."  Using this common sense approach can reduce the cost associated. You don't need a large team of people testing and applying patches to every device within a month as long as the high risk ones are done in that timescale and lower risk ones are within three months.

I used to work for a global multinational and with over 50,000 network devices of varying manufacturer, specification, operating system and change control process, updating everything in a month was impossible. What was needed was a sweep of high risk devices, a sweep of the easiest devices and a mop up team to fix the ones that got away.  The important thing is having accurate records to account for what has been done and what still needs to be done. 

At the time that would have been a PCI-DSS failure. Now it isn't. A big step forward in my mind.

It is apparent that it isn't just the massive companies that have had problems complying, there is evidence that some smaller retailers have found compliance with the standard a burden. Following the risk model will help get QSA's and Card issuers on board. The reason for PCI DSS is to prevent credit card fraud and if you can reduce risk quicker, they are more likely to accept delays in full compliance.

The latest version also gives more detail on sampling for compliance testing. Where and how the random sampling criteria should be applied, but the sample does have to be truly random. You can't chose the first 10% alphabetically or the ones we have already checked. Because of this, you need access to all of the information, if possible in one place.  In most cases this information is available (possibly hidden) within your logs.

We recommend splunk because we think it is the best but whatever log management tool you use, you need to be able to search it for those hidden nuggets. The nuggets that will be needed in reports to prove your compliance.


EQALIS have updated our PCI app for splunk to help you meet Version 2 of PCI DSS with new dashboards and alerts to help you become compliant and to help prove you stay that way with minimal effort.

Contact us for more information

Tags: Pci Dss, Compliance, App, Splunk

Posted in Splunk, What's New | 0 Comments