{"id":55,"date":"2022-09-18T23:59:00","date_gmt":"2022-09-19T04:59:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=55"},"modified":"2022-09-17T15:05:19","modified_gmt":"2022-09-17T20:05:19","slug":"intro-to-pci-version-4-requirement-2","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/09\/18\/intro-to-pci-version-4-requirement-2\/","title":{"rendered":"Intro to PCI version 4: Requirement 2"},"content":{"rendered":"\n

As you noticed during our discussion around the updates to requirement 1 (and if you didn\u2019t go read that blog post), the content is pretty dry, but I try to present it in a way that is at least easy to consume and use.  That won\u2019t change throughout the rest of the requirements, not even requirement 2 \u2013 the \u201ccommon sense\u201d requirement (as I like to call it.)  The reason I refer to it in that way is simple \u2013 If you just do things based on what just makes sense, you have achieved most of the needs for compliance in this one.  If you want to hear my thoughts on that, feel free to reach out directly for a conversation on the topic.<\/p>\n\n\n\n

Overall Thoughts<\/h2>\n\n\n\n

As we discussed in our PCI discussion there is a major shift on ownership of the PCI program.  If you don\u2019t dig too deeply it feels like the only motivation is to just shine a light on PCI and prevent it from being forgotten in the overall security stance of the company, and I admit I do think that is part of it.  I also think that the council is motivated by making sure the process owners are acknowledged within the organization, so they have the internal credibility and awareness of their position to act in a way that helps them be almost as agile as the threat landscape they are facing.  In IT security the defenders are mostly in a reactive mode, giving an edge to the attackers, so the shorter the reaction window is the less the impact.  Requirement 2 is designed around the idea that we reduce risk and increase the window allowed for reaction from the start, or introduction of items to the environment to begin with.  With that focus in the overhaul of Requirement 2, the updates will provide clarification on how the environmental elements are expanded and managed during the introduction period.<\/h2>\n\n\n\n

What\u2019s New for Req 2 in v4<\/h2>\n\n\n\n

The only net new item in version 4 for requirement 2 is the new 2.1.2, which states \u201cRoles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood.\u201d If the previous sentence feels like I just took the same sentence from the post on requirement 1 and changed the 1 to a 2, good job remembering what we discussed in the previous blog post.  You truly might be my biggest fan! <\/p>\n\n\n\n

Changes to the existing controls <\/h2>\n\n\n\n

As in our previous post dedicated to a specific section of the DSS, I am going to bullet them out for you and give a (very) brief note on them.<\/p>\n\n\n\n