He had just wrapped up onsite PA-DSS validations with his PA-QSA this month and a question came up about PA-DSS Requirement 4.2.7, which aligns with DSS Requirement 10.2, which is all about user access. Ames' QSA tells him that PA-DSS Requirement 4.2.7 is now always in scope, regardless of whether or not there is a user database within the application. Both of these options would cause application vendors to take on more liability. He searched the PA-DSS for a security requirement that aligns with PCI DSS 11.5 – File Integrity Monitoring – and there is none. Ames is certain that most application vendors would not take responsibility for file integrity monitoring at merchant sites. He can't understand why the SSC is forcing that upon application vendors when they don’t even have that requirement written into the PA-DSS.
PCI's Global Forum is an open forum in name only, at least as long as it continues to force changes on members that they are not permitted to even know about until someone who has been briefed chooses to tell them, pens GuestView Columnist Stephen Ames. What makes him say that? He spins a story about how PCI really works.