Welcome | Sign In
ECommerceTimes.com
E-Commerce

New PCI Security Standards: Lock It Down, Lock It Tight

Print Version
E-Mail Article
Reprints
New PCI Security Standards: Lock It Down, Lock It Tight

By Jack M. Germain
E-Commerce Times
09/02/08 4:00 AM PT

New PCI regulations are just around the corner, and retailers dealing with credit cards will need to tighten up their standards in order to comply. For instance, your firewall performance will be reviewed more often, and you'll have to use anti-virus protection even on non-Windows platforms. Also, if you're still using WEP encryption, better get ready to chuck that and move to something better ASAP.


Is Your Website Killing Customer Confidence?
Your Website's privacy policy can be a key factor in a customer's decision to do business with you, and it is vital to ensuring you don't run afoul of your online legal and regulatory responsibilities. Need more reasons? Read on.

The Payment Card Industry (PCI) regulation changes that take affect Oct. 1 will mean some additional work by IT departments -- and some new spending.

But the PCI Data Security Standard (DSS) version 1.2 will allow the Payment Card Industry a phase-in period to meet the new rules, according to two security firms that provide compliance tools.

The PCI Data Security Standard, first adopted by the PCI Security Standards Council in 2005, contains 12 rules with several sub-sections. The council amended some of those regulations with Version 1.1 in September of 2006. The PCI DSS standards are a set of comprehensive requirements for enhancing payment account data security.

The standards were developed by the founding payment brands of the PCI Security Standards Council, including American Express (NYSE: AXP), Discover Financial Services, JCB International, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.

In version 1.2, "there are two dozen small changes, some with fairly significant implications," Mike Loyd, chief scientist for RedSeal Systems, told the E-Commerce Times.

Mostly Clarifies

The primary purpose behind Version 1.2 is to provide clarification of the standards brought into play with the last version release. These clarifications remove the vague configurations and specify data time frames.

"Often there is a discrepancy between what you have to do and what you should do. Now the new regulations try to bring those two factors closer together to true best practices," said Loyd.

All 12 rules have clarifications, but only a few of them are real changes, according to Loyd. The most significant changes call for more auditing of the network infrastructure and how security patches are handled.

"The new version is making me trust the PCI standards more. It started as an actual deployment created by the industry for the industry. It is now very straightforward," said Amichia Shulman, CTO of Imperva.

A Growth Process

The latest rules show a good evolutionary process, noted Shulman. Others involved in providing compliance tools to vendors agree.

"The old ways didn't take into effect the priority of security. Now PCI is saying that we can take in other properties," Tom Rabaut, director of product management for RedSeal Systems, told the E-Commerce Times.

The new rules show that the PCI Council really wants to become more than a watchdog. It is becoming one of the top three motivators for compliance, he added.

"It's not just a document on a slide that nobody pays attention to," Loyd noted.

Most Significant

Version 1.2 will require networks follow firewall rules on perimeter routers. The firewall performance will now be reviewed every six months rather than quarterly, Shulman said.

Two other changes involve security settings and encryption levels. IT cannot use vendor-supplied defaults for passwords and other security parameters. Also, WEP (wired equivalent privacy) will no longer be allowed. IT must configure a stronger encryption vehicle no later than March 1.

Antivirus treatment takes on a more demanding role under the Version 1.2 regulations. Networks trafficking in cardholder information must be protected by an antivirus system regardless of the operating system used.

"Until now, antivirus was only required for Windows," Shulman said. "Now the network protections must address all known types of malware."

This change reflects a shift in computing accesses, he explained. Until about two years ago, few -- if any -- antivirus options were available for other platforms.

Checking Risks

Another key rule change focuses on system security. The existing rules require IT to apply all security patches to operating systems and application software.

The new rules allow IT to perform a risk assessment of the patches before blindly applying them. This will allow IT to determine the relative stability of the patch before it causes other problems.

"This mitigates the risk of faulty patches," Shulman said.

Change Highlights

Other tweaks in the PCI DDS require those companies that hold and work with card payment data to apply specific new security and access procedures to their networks. For instance, each worker who has access to the computer system must have a unique ID. Also, the company must test the password to ensure that is is unreadable.

Additional security will kick in regarding restricting access to card holder information. This will be accomplished by better tracking and monitoring all access to network resources and cardholder data.

"Now it will not be enough to produce an audit trail. The audit must be copied to an internal log server and must be immediately available for analysis," Shulman said.

Companies will also be required to visit off-site data storage facilities of its sensitive cardholder information at least annually.

Don't Panic

Implementation strategies for version 1.2 rules will closely resemble those for version 1.1, Shulman noted.

"There are not a lot of changes, so don't panic. Wireless networks will need changes, but IT will have a reasonable amount of time to comply. Deploying antivirus across all platforms will be a problem for some," he emphasized.

The two most troublesome areas for many companies having to meet the new PCI standards will be in the areas of wireless and network encryption, he said.

Failure Not an Option

Starting Oct. 1, the new assessment standards must be used in measuring a company's PCI compliance, Rabaut warned. Vendors with a lower priority rating for the type of customer Increase Customer Sales with Email Marketing -- Free Trial from VerticalResponse data they handle will only need to have a security scan completed by a licensed company, such as Verisign, and complete a questionnaire for self assessment, he said.

"About 80 percent of merchants are higher priority," Loyd added.

Depending on the type of compliance failure, fines could range from US$1,000 to tens of thousands, he said.

"If a data breach occurs, the severity of the fines can be much worse. The credit card companies could stop the offending company's processing rights. It depends on the weight of the vendor," Loyd said.

Print Version E-Mail Article Reprints More by Jack M. Germain

Talkback: Be the first to comment on this story.

More by Jack M. Germain

Microsoft FOSSifies .Net Micro Framework
November 18, 2009
Microsoft has declared its .Net Micro framework open source under the Apace 2.0 license. Not all bits of .Net Micro are covered, however. Its TCP/IP stack has been stripped, as has its cryptography libraries. Rights to the TCP/IP stack aren't Redmond's to give, and the cryptography libraries are used outside of the scope of the .Net Micro framework, according to the company. 		New Ubuntu OS Features Create Good Karma
November 13, 2009
Amidst the OS upgrades from Apple and Microsoft over the last few months, the Linux OS Ubuntu got a version bump of its own. Ubuntu 9.10, or Karmic Koala, is well worth the effort to upgrade, and its developers have made the process easier -- if you're using the full-sized desktop/notebook version. The Remix version, intended for netbooks, caused quite a few headaches. 		Samsung Chimes In With Bada Mobile OS
November 11, 2009
With Android, iPhone, BlackBerry, WinMo, Symbian, WebOS and plenty other mobile platforms fighting for space, is there room for one more? Samsung believes there is, and it's announced a new open mobile platform called "Bada." The company, which already makes handsets for several existing platforms, says Bada will make app-making easy for developers. The first Bada handset should be out in the first half of 2010.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> Online Retail Transaction Performance Indices
> Inside E-Commerce Times
E-Commerce Times
TechNewsWorld
CRM Buyer
LinuxInsider
MacNewsWorld
Today's E-Commerce Times Sponsors
Complimentary Webinar
How Much is 'Free' Costing You? DaveRamsey.com’s 567% ROI with Enterprise Analytics
Vertical Response Email Marketing!
Sign up for your Free Trial today and send 100 emails on us!
Entrust Extended Validation SSL
Entrust EV SSL certificates -- "go green" for less. Now from only $199 per year.
Trend Micro Smart Protection Network(TM)
Lower your content security management costs by up to 40%.
Avaya Aura™
Save up to 40% on calling costs with Avaya Aura™
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.