New PCI Security Standards: Lock It Down, Lock It Tight
Sep 2, 2008 4:00 AM PT
The Payment Card Industry (PCI) regulation changes that take affect Oct. 1 will mean some additional work by IT departments -- and some new spending.
But the PCI Data Security Standard (DSS) version 1.2 will allow the Payment Card Industry a phase-in period to meet the new rules, according to two security firms that provide compliance tools.
The PCI Data Security Standard, first adopted by the PCI Security Standards Council in 2005, contains 12 rules with several sub-sections. The council amended some of those regulations with Version 1.1 in September of 2006. The PCI DSS standards are a set of comprehensive requirements for enhancing payment account data security.
The standards were developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.
In version 1.2, "there are two dozen small changes, some with fairly significant implications," Mike Loyd, chief scientist for RedSeal Systems, told the E-Commerce Times.
The primary purpose behind Version 1.2 is to provide clarification of the standards brought into play with the last version release. These clarifications remove the vague configurations and specify data time frames.
"Often there is a discrepancy between what you have to do and what you should do. Now the new regulations try to bring those two factors closer together to true best practices," said Loyd.
All 12 rules have clarifications, but only a few of them are real changes, according to Loyd. The most significant changes call for more auditing of the network infrastructure and how security patches are handled.
"The new version is making me trust the PCI standards more. It started as an actual deployment created by the industry for the industry. It is now very straightforward," said Amichia Shulman, CTO of Imperva.
A Growth Process
The latest rules show a good evolutionary process, noted Shulman. Others involved in providing compliance tools to vendors agree.
"The old ways didn't take into effect the priority of security. Now PCI is saying that we can take in other properties," Tom Rabaut, director of product management for RedSeal Systems, told the E-Commerce Times.
The new rules show that the PCI Council really wants to become more than a watchdog. It is becoming one of the top three motivators for compliance, he added.
"It's not just a document on a slide that nobody pays attention to," Loyd noted.
Version 1.2 will require networks follow firewall rules on perimeter routers. The firewall performance will now be reviewed every six months rather than quarterly, Shulman said.
Two other changes involve security settings and encryption levels. IT cannot use vendor-supplied defaults for passwords and other security parameters. Also, WEP (wired equivalent privacy) will no longer be allowed. IT must configure a stronger encryption vehicle no later than March 1.
Antivirus treatment takes on a more demanding role under the Version 1.2 regulations. Networks trafficking in cardholder information must be protected by an antivirus system regardless of the operating system used.
"Until now, antivirus was only required for Windows," Shulman said. "Now the network protections must address all known types of malware."
This change reflects a shift in computing accesses, he explained. Until about two years ago, few -- if any -- antivirus options were available for other platforms.
Another key rule change focuses on system security. The existing rules require IT to apply all security patches to operating systems and application software.
The new rules allow IT to perform a risk assessment of the patches before blindly applying them. This will allow IT to determine the relative stability of the patch before it causes other problems.
"This mitigates the risk of faulty patches," Shulman said.
Other tweaks in the PCI DDS require those companies that hold and work with card payment data to apply specific new security and access procedures to their networks. For instance, each worker who has access to the computer system must have a unique ID. Also, the company must test the password to ensure that is is unreadable.
Additional security will kick in regarding restricting access to card holder information. This will be accomplished by better tracking and monitoring all access to network resources and cardholder data.
"Now it will not be enough to produce an audit trail. The audit must be copied to an internal log server and must be immediately available for analysis," Shulman said.
Companies will also be required to visit off-site data storage facilities of its sensitive cardholder information at least annually.
Implementation strategies for version 1.2 rules will closely resemble those for version 1.1, Shulman noted.
"There are not a lot of changes, so don't panic. Wireless networks will need changes, but IT will have a reasonable amount of time to comply. Deploying antivirus across all platforms will be a problem for some," he emphasized.
The two most troublesome areas for many companies having to meet the new PCI standards will be in the areas of wireless and network encryption, he said.
Failure Not an Option
Starting Oct. 1, the new assessment standards must be used in measuring a company's PCI compliance, Rabaut warned. Vendors with a lower priority rating for the type of customer data they handle will only need to have a security scan completed by a licensed company, such as Verisign, and complete a questionnaire for self assessment, he said.
"About 80 percent of merchants are higher priority," Loyd added.
Depending on the type of compliance failure, fines could range from US$1,000 to tens of thousands, he said.
"If a data breach occurs, the severity of the fines can be much worse. The credit card companies could stop the offending company's processing rights. It depends on the weight of the vendor," Loyd said.