PCI groups to focus on wireless, pre-authorization changes

By Robert Westervelt, News Editor 21 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The PCI Security Standards Council has quietly introduced two special interest groups (SIG) designed to recommend future changes to the data security standards.

The wireless area is one that changes so rapidly that it's hard to keep up and something that we have to address and keep up on regularly. Bob Russo, general manager, PCI Security Standards Council

The two groups, formed recently, will focus on addressing the security of credit card data prior to authorizing a transaction and the wireless transmission of credit card information, said Bob Russo, general manager of the PCI Security Standards Council.

The pre-authorization group may focus on how the standards could address pre-authorization of data storage, which is currently managed by the individual card brands.

The wireless SIG will focus on rapidly changing wireless security issues, Russo said. There also have been a number of clarifications to the standards addressing the transmission of wireless data.

"When the standard comes out at the end of September there will be more clarifications and more tweaking, especially in this particular area," Russo said. "The wireless area is one that changes so rapidly that it's hard to keep up and something that we have to address and keep up on regularly."

The group focusing on wireless issues met two weeks ago. The pre-authorization group will meet next week to get organized and establish objectives, Russo said.

SearchSecurity radio:

The council released a summary of the clarifications being issued in version 1.2 of the PCI standards. Due out in October, the latest version will remove references to WEP security to get organizations to use stronger encryption over wireless networks. New implementations of WEP are not allowed after March 31, 2009. Current implementations must discontinue use of WEP after June 30, 2010. Pre-authorization security is not addressed in the latest clarifications, nor is it addressed in version 1.1 of the standards.

"I don't really see 1.2 as a major change for people," Russo said. "If you've already started down the road on 1.1 there's no need to worry about changes."

In addition to a clarification addressing antivirus software -- making antivirus a requirement for all operating systems -- version 1.2 also addresses patching, specifying a risk-based approach to be used to prioritize patch deployments. Russo said the council is being more flexible with patching since it could take large companies more than 30 days to properly test patches before they are deployed.

"We didn't want to make a blanket statement that everything must take 30 days," Russo said. "A standard patching policy is ok, but each patch has to be looked at for the risk that it addresses. … based on a risk-based approach."

The SIGs are led by a member of the PCI board of advisors. Participating organizations may assign a representative to take part in the SIG and propose additional groups to focus on topics of concern, Russo said.

"These are truly special interest groups that are run by the participating organizations.".

The two groups will present their goals and objectives in a session at the council's Community Meeting in September 23-25 in Orlando.

Tags: PCI Data Security Standard,  Data Privacy and Protection,  Wireless Network Protocols and Standards,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Data Privacy and Protection Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Data Privacy and Protection Research Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary