PCI version 1.2 clarifications: How to get an early start on compliance audits

The PCI Security Standards Council has assured us in its summary document that there are no new major requirements in 1.2; the 12 familiar requirements remain. But merchants and service providers know that adjusting to small changes can arduous and costly. So it's wise for merchants, service providers, and assessors to think about and plan for the upcoming changes as soon as possible. Planning a strategy now can mean the difference between a smooth rollout and a last minute scramble. With that in mind, let's take a look at specifically where and how controls might have to change based on the preview of the council's updates.

Specificity: You asked for it, you got it
By contrast to some other regulations, like HIPAA and SOX, PCI DSS is prescriptive in nature, meaning it specifies particular technical controls that an enterprise needs to deploy and, in many cases, details how they should be implemented. Many merchants and service providers, however, feel that prior versions of the standard don't go far enough; there's too much "wiggle room" in how the controls are interpreted.

For example, Requirement 3.4 of the 1.1 standard mandates the use of "strong cryptography" to protect primary account numbers (PANs), but leaves open the question of what counts as "strong." Some assessors have interpreted "strong cryptography" to mean only cryptographic modules that have gone through FIPS 140-2 certification; others consider older algorithms like DES sufficient. Having a broad spectrum of interpretation makes it difficult f...

Version 1.2 of the standard promises to help clear up some of these gray areas. But this can mean additional work in areas where organizations may have misinterpreted controls.

For example, the council has clarified that Requirement 9 of the standard ("restrict physical access to cardholder data" ) applies to paper records containing payment instrument information -- cardholder data -- as well as electronic data.

This single change has wide-ranging implications. Imprints of cards made by taxi drivers, the written card number on a plumber's invoice, the discarded carbon copies made from offline impressions -- there's no question now that these all need to be protected and physically secured. Firms that are not currently protecting this data will find that they have numerous logistical challenges on the horizon. They'll need to track the life cycle of those paper documents, locate and document places where the forms are stored, and ensure that the proper physical-access restrictions are implemented. These firms will need to deploy the same types of controls as they would for a data center or electronic repository of data.

In situations that involve semi-public or constrained areas, implementing the appropriate physical access controls can prove difficult or impossible With a taxi company, for example, implementing robust physical protections for the impression documents is a tall order. Since compliance may require some significant work, the time to start thinking about this is now -- while budgets are still under discussion. Some firms may find that the cost of replacing paper-based transactions with electronic alternatives may be a cheaper long-term option than implementing the requisite physical controls. That taxi company might find it more cost-effective to implement payment terminals for passengers to use rather than trying to deploy physical controls to protect hard-copy documents.

Controls: Softening some, hardening others
Aside from the clarifications, there are also some notable changes to existing controls. Requirement 5, for example, is getting stronger; instead of mandating only Windows systems to use antimalware software (which was the practical implication of version 1.1 of the standard), the requirement has been expanded to include other systems as well.

For most merchants and service providers, the extension of Requirement 5 will require the installation of antimalware on back-end systems like Unix. Merchants that don't have an appropriate AV product for these platforms might want to consider carving out a niche in the 2009 budget to review a few tools that support the functionality. For many merchants, keep in mind, this requirement can also affect the point of sale. Merchants looking to follow this control should consider point-of-sale systems based on commercial OSes and establish where they do not have antimalware software currently installed.

On the other hand, some of the more difficult controls have been opened up to allow more flexibility. Take, for example, Requirement 9.1.1, which mandates the use of cameras and the retention of camera footage for areas where card data is in play. Organizations like restaurants and "mom and pop" shops, however, have found this control particularly challenging, as customers are not always happy about obvious cameras, not to mention the volume of space that would need to be monitored. Similarly, a small retail store may not have the funds to implement a camera at the point of sale.

The requirement now allows organizations the flexibility to select other access control methods where appropriate. The actual text of the requirement will likely clarify if there are additional constraints about acceptable alternative methods, but it's not difficult to imagine approved controls such as enhanced authentication for payment-accepting kiosks or for semi-public points of sale in restaurants.
Taken as a whole, the changes outlined by the PCI Security Standards Council for PCI DSS version 1.2 seem like they'll make life easier. That's not to say that there won't be a few logistical hiccups on the way, but it's clear from the summary of changes that the council is listening to the feedback from the trenches.

About the author:
Ed Moyle is currently a manager with CTG's Information Security Solutions practice, providing strategy, consulting, and solutions to clients worldwide as well as a founding partner of Security Curve. Prior to joining Security Curve, Moyle was vice president and information security officer for Merrill Lynch Investment Managers (MLIM,) where he was responsible for coordinating all aspects of information security within the business unit.

Before joining Merrill, Moyle worked within the federal sector for Computer Science Corporation (CSC,) where he consulted to the Department of Defense JCALS (Joint Service Computer Aided Acquisition and Logistics System) program. Moyle is co-author of "Cryptographic Libraries for Developers", and a frequent contributor to the Information Security industry as an author, public speaker, and analyst.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   PCI Data Security Standard,   Security Audit, Compliance and Standards,   IT Security Audits,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.