CONTINUE TO SITE »
or wait 15 seconds

Article

PCI standard v1.2 clarifies rules

Latest version is tougher on malware, easier on firewalls.

September 28, 2008

Described as evolutionary rather than revolutionary, the updates to the Payment Card Industry Digital Security Standards are expected to clarify previous standards rather than add new requirements.

The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is the overarching standard used by the five major credit- card companies - Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB. The standard is designed to ensure consumers' account and card information is protected and guarded after they conduct transactions across payment channels, including the POS and ATM.

The PCI Security Standards Council will release the final version PCI DSS v1.2 on October 1, although a summary of expected changes has been in circulation for several months.

Under version 1.1, the PCI standards comprise 12 requirements, with numerous subrequirements. The number and scope of requirements isn't expected to change with the update. The revised standards will incorporate recommendations gathered from the industry.

"The Council's Participating Organizations, through the feedback process, have provided an invaluable service in enhancing the PCI DSS to meet today's market needs," said Bob Russo, general manager, PCI Security Standards Council. "Version 1.2 should be seen as an improvement, not a departure from tried and true best security practices."

story continues below... 
 
 
 

Data Security and Privacy:
Best Practices for Protecting Customer Information through PCI 

We hope this publication helps you make sense of an issue that is complex today and will only get more so — and that it helps you serve your customers better.
 

 

One of the clarifications eases requirements for firewalls used to protect cardholder data. Under the new standard, review of firewall rules will be required every six months rather than every quarter.

"Routers in networks are usually fairly stable so six months seems reasonable," said Luis Porres, director of technology risk management services for Jefferson Wells, an information technology consultant and a qualified security assessor for PCI compliance.

A proposed change in Requirement 5 is likely to cause some headaches. It expands malicious software protection to include all operating system types and must address all known types of malicious software. The current standard calls for anti-virus protection only on "all systems commonly affected by viruses (particularly personal computers and servers)."

Recent data breaches may have raised the stakes on protecting data not just stored on computers but as it moves across networks for authorization. Viruses are only one type of malware; Trojan horses, key loggers and other data-grabbing software present risks as well.

Now system administrators will have to expand malware protection to Unix-based machines, mainframes and midrange systems that aren't targeted nearly as much as computers running Windows.

"For companies now faced with the challenge of putting malicious software protection on mainframes, and Unix flavor systems, this is likely to be a daunting challenge," said Chris A. Mark, president and one of the founders of The Aegenis Group Inc., a security consulting firm.

Another improvement comes with the proposed requirement to allow software patching on a risk-based approach, compared with the requirement in v1.1 that patches had to be installed within 30 days of release.

With a beat-the-deadline approach "organizations may have introduced more risks than they addressed," Mark said. "Most large, complex organizations struggled with the 30-day installation and a large percentage were forced to employ compensating controls."

The new standard will sound the death knell for the Wired Equivalency Privacy (WEP) encryption standard for wireless security. The council instead emphasizes industry best practices such as 802.11x using strong encryption for authentication and transmission of encrypted cardholder data. No new WEP applications will be allowed after March 31, 2009, and current implementations must be phased out after June 30, 2010.

"It seems like they're increasing the standard wireless encryption by requiring the abolishment of WEP," Porres said.

The PCI Security Council will roll out the finalized standard in community meetings in Orlando, Fla., and Brussels. The council plans to update the Digital Security Standard every two years.

Related Media

Marketing
From storefront to screen: A modern retailer's guide to leveraging technology for success
AI
AI-powered digital avatars: The next frontier for retail CX
Technology
Augmented reality and virtual reality: Reimagining try-before-you-buy
General
2025 State of the Industry: Store Innovation Report
Presented by Toshiba Global Commerce Solutions, Inc.
Recent Posts
Wawa expanding into middle Tennessee
Lowe’s, NFL players team on marketing campaign
How The UPS Store delivers best-in-class retail customer experiences
Frontier Airlines expands loyalty perks access
Price a big focus for back-to-school shoppers


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'