Wireless security requirements, new antivirus rules and network firewall settings are among the clarifications in version 1.2 of the Data Security Standards expected to take effect in October.
"They've fixed some problems, but some questions have been raised and need to be addressed."
Diana Kelley, Founder and Partner Security Curve
The PCI Security Standards Council issued a
"Version 1.2 should be seen as an improvement, not a departure from tried and true best security practices," said Bob Russo, general manager of the PCI Security Standards Council.
The new version adds flexibility in the time frame for review of firewall rules from quarterly to every 6 months. The council said it changed the control timeline slightly to better align it with an organization's risk management policies.
A number of clarifications were issued to address cardholder data in a wireless environment. Version 1.2 makes requirement 6.6 mandatory. Earlier this year, the council issued a clarification on requirement 6.6, requiring all public facing Web applications to be reviewed either manually or with automated assessment tools or protecting them by installing a Web application firewall. The council approved removing references to WEP security to get organizations to use stronger encryption over wireless networks. New implementations of WEP are not allowed after March 31, 2009. Current implementations must discontinue use of WEP after June 30, 2010.
Council issues clarification on Web application security: The PCI Security Standards Council
released documentation hoping to reduce a tide of confusion over enforcement of application
firewalls and code reviews.
PCI compliance extends to car washes, quick lubes: A point-of-sale system supplier for car washes and quick lubes protects its machines from viruses and other malware and enables PCI compliance.
PCI Requirement 6.6 has merchants gearing up: Large organizations opt for Web application firewalls, smaller companies lean toward code reviews.
"Wireless must now be implemented according to industry best practices (e.g., IEEE 802.1x) using strong encryption for authentication and transmission," according to the council's summary of changes.
Diana Kelley, founder and partner at consulting firm Security Curve said she would seek explanation about whether transmissions could be protected using other methods.
"802.1x is the most robust way, but can you protect at the higher levels? That's unclear," Kelley said. "If they're going to require 802.1x for everybody that's definitely raising the bar."
The council also added wireless information to its requirement that addresses system passwords and other security parameters. It also removed a requirement to disable SSID broadcast since it does little to stop an attacker.
Another area that may need further clarification, according to Kelley, is the update clarifying use of antivirus software. Version 1.2 says the use of antivirus software applies to all operating system types. It's unclear whether that includes mainframe environments and how difficult it could be for retailers and merchants to find antivirus software for Linux and Mac operating systems, especially on some POS devices.
The standard was also tweaked to address physical access to cardholder data, easing a requirement for cameras. The updated version allows "other appropriate access control mechanisms," for protecting physical access to cardholder data.
Information addressing the security of stored cardholder data was also addressed in version 1.2. The standard will now require companies to visit offsite storage locations annually. It also clarified that secure media applies to electronic and paper media that contains cardholder data.
Overall Kelley said the council took a step in the right direction with version 1.2.
"As far as I can tell, retailers and merchants should see this as helpful," Kelley said. "They've fixed some problems, but some questions have been raised and need to be addressed."