A Quick Note About PA-DSS 2.0
Just a quick note to everyone out there in PCI-land. There is one very large change in PCI DSS and PA-DSS v2.0. It’s a scary change. It’s an undocumented change. It’s going to change the way you do business.
What is this change?
As of v2.0, you actually have to do what you’ve been saying you were doing all along.
In v1.2, it was appropriate for an assessor to say that institutions had procedures requiring them to do things. This is no longer the case. While the old reporting procedures required assessors to identify the document that explained that requirements needed to be met, as of v2.0, the reporting procedures require QSAs and PA-QSAs to explain in the report how the requirements are met.
We assessors need to provide detail. This means we need to see detail. We know it’s hard. We know it’s time consuming. We also know it’s The Right Thing to Do. If you document your procedures in a manner that is actually useful to you and your staff, you’ll probably find you get reprimanded less often for having insufficient docs.
Thanks. We now return you to your regularly scheduled programming…











