When the PCI DSS was written, particularly requirements 6.4.6, 11.2 and 11.3, the authors had something in mind: making sure security was maintained after a significant change. What they couldn’t agree on though was what counts as a significant change – there’s even an FAQ about it that doesn’t help very much. Not surprising really when the same standard covers behemoths like amazon as well as my local independent pizza parlour. They are not the same organisation and significant to one could put the other out of business.
So what is a significant change. It all depends. But here is my list of things that would probably constitute a significant change for any organisation…
- Anything that changes the scope of your environment.
- Anything that changes the segmentation of your environment.
- A change in the way you meet the PCI DSS requirements (e.g. change of SIEM technology).
- Sending card data to a new location or third party.
- Changes to technology that require more than 30 minutes testing (different operating system, new software etc).
You’re still going to have to look at all changes and work out what they mean for your organisation and whether they are significant for you, but this list may give you a little head start.