An upcoming change affecting PCI DSS reporting includes the June 30, 2012 cutover date for PCI DSS v2.0 Requirements 6.2 and 6.5.6. Currently, these requirements are defined as a best practice but will soon be enforced as required.
How does the cutover date affect compliance with PCI DSS?
1. After June 30, 2012, organizations will be required to assign risk rankings to newly detected vulnerabilities affecting the CDE as part of the ongoing vulnerability identification process established in Requirement 6.2.
Guidelines for classifying risk are provided by the Council as follows:
o Risk ranking systems should be based upon industry standards or best practices.
o The risk ranking assignment should classify risk in a manner which facilitates prioritization for remediation. (Example: High, Medium, Low)
2. When application development is in scope of an entity's CDE, Requirement 6.5.6 will necessitate testing against the vulnerabilities classified as "high" risk as part of the secure application development process.
3. Additional Testing Procedures are indirectly affected by the cutoff date and include:
2.2.b: Updating of system configuration standards as new vulnerabilities are identified
10.4.a: Vulnerability identification in time synchronization technologies
11.2.1.b: Internal vulnerability scanning relative to vulnerabilities classified as "high"
11.2.3.b: Internal vulnerability scanning relative to vulnerabilities classified as "high"
By taking proactive measures to ensure that proper controls are in place prior to the June 30 deadline, you can ensure that your organization does not risk falling out of compliance.