The council just released their Assessor update for this month. For your convenience I summarized below the essence of this newsletter.
Relevant to All:
1) Assessors may suggest new topic for Special Interest Groups (SIGs) until August 31st. The submission form can be found here.
2) Clarification for PCI-DSS 11.1 - Test for the presence of wireless accesspoints and detect unauthorized wireless access points on a quarterly basis. Testing for the presence of unauthorized access points is required on a quarterly basis, regardless of whether or not wireless connectivity is used or prohibited within your CDE.
3) PCI SSC is working on guidance on the management of conflicts of interests as it perceives this as a growing concern. At present, the Council highly encourages assessors to fully disclose and maintain strong policies to ensure independence and protect the interests of all parties.
Relevant to ASVs:
It is expected that ASVs will only perform service discovery on those hosts found to be live during the "perform host discovery" phase of an ASV scan. That makes sense, doesn’t it!
Relevant to QSAs:
1) An updated version of the ROC reporting instructions is ready. No date for publication as yet.
2) A QSA may rely upon the work of another QSA; however, it should always be remembered that the active QSA has the ultimate responsibility for their client's assessment and the evidence provided in the Report on Compliance.
Relevant to PA-QSAs:
1) PCIco is looking for feedback on their ROV reporting instructions for PA-DSS v2.0 released in July.
2) Clarification on PA-DSS Requirement 7.1 - Software vendors must establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities, and test their payment applications accordingly.
Application vendor's vulnerability management processes MUST includes assigning a risk ranking for identified vulnerabilities to successfully achieve PA-DSS Validation.
If you have any questions, please post them as comments below.