Finally, I found time to read PCI DSS 1.2. change doc. So:
- Good news: router is now officially a firewall (it has been for a while, but many people are still stuck in "security device" vs "network device" cloud) - see Req 1
- From the "WTH dept": anti-virus is a MUST on ALL platforms - Req 5. Please ship me some of the stuff they are smoking; I want it! BTW, I am going to Amsterdam soon :-)
- WAF or code review for web application security is still a stupid "OR" - Req 6.6. OMG, please, software security folks, teach them the truth.
- Can we kill "plain text passwords" once and for all? Req 8 tries to achieve that noble goal (good thing!)
- Visit your offsite data storage - good (if costly) idea - added to Req 9. Requirements to secure electronic AND paper media are solid too.
- Love it, love it! Req 10 explains that logs needs to be actually available: 'three months of audit trail history must be “immediately available for analysis” or quickly accessible' (bye-bye, silly log dumps...)
- Some vulnerability stuff clarified in Req 11, mostly about ASVs and pentesting.
- Scope of security policy is expanded to "employee-facing technologies" (what a term!) - Req 12
- All over: more references to wireless (WEP, access points, hidden SSIDs, etc) - indeed, recent data losses are often due to insecure wireless.
Overall, a minor change that, sadly, doesn't touch a few KEY areas, such as virtualization, for one.