David Rook

PCI DSS v1.2: Will the New Standard Miss the Mark?

With the imminent release of version 1.2 of the PCI standard I feel like the new version may miss the mark and not bring the improvements some people had hoped for.

The PCI Council released a document detailing the changes that will be made to the standard and I feel several important security requirements have been overlooked.

I have listed three main issues I think the new version of the standard should have addressed:

  • Virtualisation
  • Cloud Computing
  • Secure Development

Virtualisation technologies are becoming a popular choice for enterprises, mainly because of the cost saving they offer and also for ease of management. These technologies have, in addition, caught the attention of security researchers and new methods of attack against virtualised environments have been increasing in 2008.

Blackhat USA 2008 had ten presentations which discussed virtualisation security, compared to only one the previous year. This evidence, coupled with the increasing amount of patches being released by virtualisation vendors, makes me feel that the new version of the standard should have added specific requirements regarding virtualisation security.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*