The PCI SSC quietly released version 1.2.1 (July 2009) and some very minor wording changes.  The following is a list of those minor changes:

  • Oct. 2008 | v1.2 |=> To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2.”
  • July 2009 | v1.2.1 |=> Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2.
  • July 2009 | v1.2.1 |=> Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b.
  • July 2009 | v1.2.1 |=> Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b.
  • July 2009 | v1.2.1 |=> For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.”

So, pray tell what is that sentence incorrectly deleted?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

This is a rather minor clarification.  Many people read the cardholder data matrix and think that all elements including the name and expiration date are considered cardholder data (CHD).  With this update from the PCI SSC we are reminded that these are only considered CHD if they are stored with the PAN.

Translation?  No PAN, no cardholder data!

This leaves us with only one remaining question…

Now that we are completing the In Place / Not In Place areas for requirement 6.5.b, what are the necessary validation steps?  Perhaps documentation review, observation of process/action/state, and interview staff.