PCI DSS 1.2 clarifies wireless, antivirus use

By Robert Westervelt, News Editor 19 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Wireless security requirements, new antivirus rules and network firewall settings are among the clarifications in version 1.2 of the Data Security Standards expected to take effect in October.

They've fixed some problems, but some questions have been raised and need to be addressed. Diana Kelley, founder and partner, Security Curve

The PCI Security Standards Council issued a summary of the changes late Tuesday, giving merchants and participating organizations time to review the changes prior to taking effect. The council said that the new version has minimal impact on the requirements and adds no new requirements to the standard.

"Version 1.2 should be seen as an improvement, not a departure from tried and true best security practices," said Bob Russo, general manager of the PCI Security Standards Council.

The new version adds flexibility in the time frame for review of firewall rules from quarterly to every 6 months. The council said it changed the control timeline slightly to better align it with an organization's risk management policies.

A number of clarifications were issued to address cardholder data in a wireless environment. Version 1.2 makes requirement 6.6 mandatory. Earlier this year, the council issued a clarification on requirement 6.6, requiring all public facing Web applications to be reviewed either manually or with automated assessment tools or protecting them by installing a Web application firewall. The council approved removing references to WEP security to get organizations to use stronger encryption over wireless networks. New implementations of WEP are not allowed after March 31, 2009. Current implementations must discontinue use of WEP after June 30, 2010.

PCI DSS: PCI Council issues clarification on Web application security: The PCI Security Standards Council released documentation hoping to reduce a tide of confusion over enforcement of application firewalls and code reviews. PCI compliance extends to car washes, quick lubes: A point-of-sale system supplier for car washes and quick lubes protects its machines from viruses and other malware and enables PCI compliance. PCI Requirement 6.6 has merchants gearing up: Large organizations opt for Web application firewalls, smaller companies lean toward code reviews.

"Wireless must now be implemented according to industry best practices (e.g., IEEE 802.1x) using strong encryption for authentication and transmission," according to the council's summary of changes.

Diana Kelley, founder and partner at consulting firm Security Curve said she would seek explanation about whether transmissions could be protected using other methods.

"802.1x is the most robust way, but can you protect at the higher levels? That's unclear," Kelley said. "If they're going to require 802.1x for everybody that's definitely raising the bar."

The council also added wireless information to its requirement that addresses system passwords and other security parameters. It also removed a requirement to disable SSID broadcast since it does little to stop an attacker.

Another area that may need further clarification, according to Kelley, is the update clarifying use of antivirus software. Version 1.2 says the use of antivirus software applies to all operating system types. It's unclear whether that includes mainframe environments and how difficult it could be for retailers and merchants to find antivirus software for Linux and Mac operating systems, especially on some POS devices.

SearchSecurity radio:

The standard was also tweaked to address physical access to cardholder data, easing a requirement for cameras. The updated version allows "other appropriate access control mechanisms," for protecting physical access to cardholder data.

Information addressing the security of stored cardholder data was also addressed in version 1.2. The standard will now require companies to visit offsite storage locations annually. It also clarified that secure media applies to electronic and paper media that contains cardholder data.

Overall Kelley said the council took a step in the right direction with version 1.2.

"As far as I can tell, retailers and merchants should see this as helpful," Kelley said. "They've fixed some problems, but some questions have been raised and need to be addressed."

Tags: PCI Data Security Standard,  Data Privacy and Protection,  Disk Encryption and File Encryption,  Enterprise Data Governance,  Wireless Network Protocols and Standards,  Network Firewalls, Routers and Switches,  Client security,  Web Application Security,  Wireless LAN Design and Setup,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Data Privacy and Protection Research Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary