Article
Latest version of PCI standards
PCI council clarifies PCI data-security mandates for the industry.
Gary Wollenhaupt is a regular contributor to ATM Marketplace. To submit a comment about this article,e-mail the editor.
Described as evolutionary rather than revolutionary, updates to the Payment Card Industry Data Security Standard are expected to clarify rather than add new requirements.
The PCI Data Security Standard, commonly referred to as PCI DSS, is the overarching standard used by the five major credit-card companies — Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB. The standard is designed to ensure consumers' account and card information is protected and guarded after they conduct transactions across payment channels, including those conducted at the POS and ATM.
The PCI Security Standards Council released the final version PCI DSS v1.2 on Oct. 1, following up on a summary of expected changes that had been in circulation for several months.
"It's not our intent to make any company non-compliant by coming out with the new standard," said Bob Russo, general manager of the PCI Security Standards Council. "Version 1.2 should be seen as an improvement, not as a departure from tried-and-true best security practices."
In v1.2, as it did in v1.1, the standards comprise 12 requirements with numerous sub-requirements. The number and scope of requirements didn't change with the update. The updated standard incorporates feedback gathered from participating organizations during the past two years. But many payments companies asked for further explanation, as well as a softening of some requirements that were difficult to implement or may have caused new sets of problems, Russo says.
One of the clarifications eases requirements for firewalls used to protect cardholder data. Under v1.2, review of firewall rules will be required every six months rather than every quarter.
"Routers in networks are usually fairly stable, so six months seems reasonable," said Luis Porres, director of technology-risk-management services for Jefferson Wells, an information technology consultancy and PCI qualified security assessor.
Greater clarification may cause a few headaches
But a proposed change to Requirement 5 is likely to cause some headaches. It expands malicious software protection to include all operating-system types and must address all known types of malicious software. The current standard calls for anti-virus protection only on "systems commonly affected by viruses (particularly personal computers and servers)."
Recent data breaches may have raised the stakes on protecting all data that moves across networks for authorization, not just information stored on computers. Viruses are only one type of malware; trojan horses, key loggers and other data-grabbing software present their own risks.
"People need to be looking at malicious code and ways of preventing it, if in fact it's discovered on a particular operating system," Russo said.
Now system administrators will have to expand malware protection to Unix-based machines, mainframes and mid-range systems that aren't targeted nearly as much as computers running Windows.
"For companies now faced with the challenge of putting malicious software protection on mainframes and Unix flavor systems, this is likely to be a daunting challenge," said Chris A. Mark, president and one of the founders of The Aegenis Group Inc., a security-consulting firm.
Under the new version, software patches can be installed on a risk-based approach, rather than every 30 days after a new patch's release, as v1.1 required.
With a beat-the-deadline approach, "organizations may have introduced more risks than they addressed," Mark said. "Most large, complex organizations struggled with the 30-day installation, and a large percentage were forced to employ compensating controls."
The new standard also calls for the phasing out of the Wired Equivalency Privacy (WEP) encryption standard for wireless security. The council instead emphasizes industry best practices such as 802.11x using strong encryption for authentication and transmission of encrypted cardholder data. No new WEP applications will be allowed after March 31, 2009, and current implementations must be phased out after June 30, 2010.
"It seems like they're increasing the standard for wireless encryption by requiring the abolishment of WEP," Porres said.
| |||||
 | ATMmarketplace.com SPECIAL REPORTMobility and the Integration of Banking ChannelsHow Consumers Will Demand to Bank in the Next Five Years Only US$299!
| ||||
In the United States, the PCI Security Council rolled out the finalized standard in community meetings in Orlando, Fla., and will hold European meetings later this month in Brussels. The council also says it plans to update the Digital Security Standard every two years.
In response to questions from the payment-card community, the council is developing a guide to help companies prioritize their compliance. Russo says it's a risk-based approach to tackle the greatest vulnerabilities first.
"Companies will still have to comply with all the standards, but there are things you can do upfront to cut down the risk," he said.
The council expects to publish the risk-based guidelines later this year.
Trends / StatisticsDebit / CreditNorth AmericaDistributors / ISO / IADTransaction ProcessingRetail / Off-PremisesNetworking / ConnectivityEFT NetworksEncrypting Pin Pads (EPP)Kiosks/Self-ServiceBank / Credit UnionSecurity
Related Media
SecurityPresented ByDiebold Nixdorf
Presented ByDiebold Nixdorf
Subscribe
Get the latest news and resources from ATM Marketplace.
