Today the PCI Council released a summary of the expected changes to PCI-DSS and PA-DSS v2.0 releases scheduled for October 2010. You can find the summary on their website.
Remember that this is just a list of the highlights of the proposed changes. The actual changes themselves will come later. The draft of the new DSS will be shared with the PCI community in September at the Orlando meeting and then likely to be published in October 2010. Changes will be expected to take effect Jan 2011.
Apart from bunch of interesting ‘guidance’, ‘clarifications’ and ‘evolving requirements’ what I found most interesting was the language around virtualization. Current requirement 2.2.1, with its language of “one primary function per server”, has always been the thorn in the side of many merchants trying to catch up with technology and become more scalable and dynamic by using the powers of virtualization. What if you do want to put a virtual webserver and virtual database on the same physical server? Does it violate the “one function per server” requirement?
The PCI council had setup a SIG to deal with virtualization and it going to be awesome to finally see their recommendations getting incorporated into the DSS. We will have to wait and see the actual language in the new standard but it’s encouraging to see that PCI DSS is addressing the cloud and virtualization! It will be interesting to see how that change affects other requirements like firewalls and pen testing and performing vulnerability scans of dynamic environments with images that are not up all the time. I suspect merchants will be able to use the ‘sampling’ route to comply with the other requirements.
In any case, I am looking forward to the PCI community meeting in Orlando to get more details on these changes and discuss them with the council and the community. And I hope the results will make quite a few merchants who want to fly to the ‘cloud’ very happy!