RealTime IT News

PCI Standard Widened for Better Security

PCI security

In the wake of heavily publicized breaches such as the one at TJX that are reported to have been the result of inadequate wireless transmission security, the credit card industry has broadened its security standards.

The PCI Security Standards Council, which governs the standard, yesterday unveiled version 1.2 of PCI Data Security Standards, or PCI-DSS . This security for credit card transactions will be available for merchant use on Oct. 1, the organization reported.

Although the Council says version 1.2 will "not introduce any major new requirements" and will only "introduce clarifying items," it has introduced important changes. The updates include requirements for PCI-DSS 6.6, which came into effect June 30.

Version 1.2 drops the Wired Equivalent Privacy, or WEP , wireless security protocol in favor of the newer IEEE 802.11x standard . It also adds monitoring capabilities for removable electronic media, e-mail, Web, laptops and PDAS. In addition, it tightens up security requirements for employees of companies the PCI-DSS governs.

PCI-DSS version 1.2 will be made available to participating organizations in the first week of September and will be discussed further in detail at the Council's Community Meeting in Orlando, Fla., Sept. 23–25. Follow-on discussions will be held at the Council's second community meeting in Brussels, Belgium, October 22-23.

"The idea is not to introduce new requirements, but some clarifications will lead to certain changes in the way you do things," Sumedh Thakar, PCI solutions manager at on-demand vulnerability management and policy compliance solutions vendor Qualys, told InternetNews.com.

For example, Version 1.2 says retailers can either have a Web application firewall in front of customer-facing solutions or conduct automated or manual vulnerability scan, whereas PCI-DSS 6.6 recommended they use the firewall or harden their source code.

Thakar welcomed this change because "a vulnerability scan is more doable and less expensive than going through your source code." Instead of having to go through possibly millions of lines of source code, companies can run a scan then focus on detected vulnerabilities in the code and remedy those.

Another change that Thakar likes is the Council's formally ruling out the use of WEP, which has, since 2001, been known to be easy to crack. "The standard has always recommended that WEP not be used, but now they're putting in a timeline," Thakar said.

Version 1.2 says that new implementations of wireless networks cannot use WEP implementations after March 31, 2009, and current implementations must get rid of WEP by June 30, 2010. It recommends using IEEE 802.11x or stronger encryption. Wi-Fi Protected Access 2 (WPA2) and IEEE 802.11x are stronger protocols, Thakar said.

Thakar also gave the thumbs-up to the inclusion of PDAs in Version 1.2. "There are so many companies now using the new iPhones, which can connect over a virtual private network to your company network," he said.

One other item he noted is the new rule that companies implement an information security policy requiring employees to acknowledge that they have read and understood their security policy and procedures at least once a year.

However, Rishi Bhargava, director of product management at SolidCore, which provides change, audit and configuration control and PCI compliance solutions, thinks the Council needs to do more in terms of providing guidance.

He focused on the requirement that companies implement antivirus software for all operating systems. "They have expanded the scope of antivirus software to include all operating systems, but that just focuses on known types of malicious software," Bhargava told InternetNews.com.

However, attacks on "Hannaford and other stores were targeted attacks using software written specifically for point of sale devices, not known malicious software," Bhargava said. "The standard is not helping protect companies from unknown or new threats that emerge," Bhargava added.

Bhargava advocates using a combination of whitelisting , where only applications that have been approved are allowed into a system, and host and network intrusion prevention systems. "These three should be mandatory on point of sale systems," he said.

According to Bhargava, "more than 30 grocery chain brands" have adopted SolidCore's whitelisting solution. With support from these customers, SolidCore is working with the PCI Council to further hone security guidelines.

"Retailers need to be ahead of the bad guys," Bhargava explained. "Antivirus doesn't protect against the self-modifying viruses the bad guys are coming up with."

The PCI Council could not comment by press time.