Is there a standard, PCI compliant No Impact Change Report for minor versioning in software? Also, are there any guidelines for what exactly PCI is looking for in versioning numbers? My understanding at present is that the numbers 1.1.1 would be mean Major Security Changes.Major/Minor Functionality Changes.Cosmetic/Bug fixes. Is this correct?

Cheers!

The version numbers doesn't matter at all since all companys have different ways of handling this. What is important is "what" have changed.

When we make changes to a CC processing application, at what point do we need to recertify? I know that when making minor changes (say from 1.1.1 to 1.1.2 in order to fix a minor bug, no changes in gross functionality) we should not have to recertify, but we will need to notify the QSA via a No Impact Change Report. Is there a standard No Impact Change Report that we can submit? Or do we just make up our own?

The PCI SSC will need to issue a white paper or such to clarify this. However, my understanding is that if the changes in a new release do NOT effect the processing, storing or transmitting of cardholder data (CHD), then it does not require re-certification.

In regards to the 'No Impact Change Report', I have not seen one, so I would suggest you create one. At a minimum, you will need to document all the changes in the version and why these changes do not effect CHD processing if that is not obvious.

So in regards to the No Impact, even if we had a major revision, say from 1.1.1 to 1.2.0, if the changes did not demonstratively affect CHD we would not have to re cert?

Major version is all in the eye of the beholder. :)

I think the people that wrote the requirement were more thinking of the v1.x to v2.x example as a major revision. However, if v1.1.0 to v1.2.0 brings a new or different way of processing, storing or transmitting cardholder data, then it would definitely need to be re-certified.

This may still be clear as mud, but I'm hoping I cleared it up.

Thanks for the information. I think, if I am interpreting correctly, that as long as the CHD processes remain unchanged we do not need to re-cert. If we change the way that the CHD process works, then we apply to re-cert.

Thanks!