PCI Standard Widened for Better Security

PCI security

In the wake of heavily publicized breaches such as the one at
TJX
that are reported to have been the result of inadequate wireless
transmission security, the credit card industry has broadened its security
standards.

The PCI Security Standards Council, which governs the standard, yesterday unveiled version 1.2 of PCI Data Security Standards, or PCI-DSS . This security for credit card transactions will be available for merchant use on Oct. 1, the organization reported.

Although the Council says version 1.2 will “not introduce any major new
requirements” and will only “introduce clarifying items,” it has introduced
important changes. The updates include requirements for PCI-DSS 6.6,
which came into effect June 30.

Version 1.2 drops the Wired Equivalent Privacy, or WEP , wireless security protocol in favor of the newer IEEE 802.11x standard . It also adds monitoring capabilities for removable electronic media, e-mail, Web, laptops and PDAS. In addition, it tightens up security requirements for employees of companies the PCI-DSS governs.

PCI-DSS version 1.2 will be made available to participating organizations
in the first week of September and will be discussed further in detail at
the Council’s Community Meeting in Orlando, Fla., Sept. 23–25. Follow-on
discussions will be held at the Council’s second community meeting in
Brussels, Belgium, October 22-23.

“The idea is not to introduce new requirements, but some clarifications
will lead to certain changes in the way you do things,” Sumedh Thakar, PCI
solutions manager at on-demand vulnerability management and policy
compliance solutions vendor Qualys, told InternetNews.com.

For example, Version 1.2 says retailers can either have a Web application
firewall in front of customer-facing solutions or conduct automated or
manual vulnerability scan, whereas PCI-DSS 6.6 recommended they use
the firewall or harden their source code
.

Thakar welcomed this change because “a vulnerability scan is more doable
and less expensive than going through your source code.” Instead of having
to go through possibly millions of lines of source code, companies can run a
scan then focus on detected vulnerabilities in the code and remedy those.

Another change that Thakar likes is the Council’s formally ruling out the
use of WEP, which has, since 2001, been known to be easy to crack. “The
standard has always recommended that WEP not be used, but now they’re
putting in a timeline,” Thakar said.

Version 1.2 says that new implementations of wireless networks cannot use
WEP implementations after March 31, 2009, and current implementations must
get rid of WEP by June 30, 2010. It recommends using IEEE 802.11x or
stronger encryption. Wi-Fi Protected Access 2 (WPA2) and IEEE 802.11x are stronger protocols, Thakar said.

Thakar also gave the thumbs-up to the inclusion of PDAs in Version 1.2.
“There are so many companies now using the new iPhones, which can connect over a virtual private network to your company
network,” he said.

One other item he noted is the new rule that companies implement an
information security policy requiring employees to acknowledge that they
have read and understood their security policy and procedures at least once
a year.

However, Rishi Bhargava, director of product management at SolidCore,
which provides change, audit and configuration control and PCI compliance
solutions, thinks the Council needs to do more in terms of providing
guidance.

He focused on the requirement that companies implement antivirus
software for all operating systems. “They have expanded the scope of
antivirus software to include all operating systems, but that just focuses
on known types of malicious software,” Bhargava told
InternetNews.com.

However, attacks on “Hannaford and other stores were targeted attacks
using software written specifically for point of sale devices, not known
malicious software,” Bhargava said. “The standard is not helping protect
companies from unknown or new threats that emerge,” Bhargava added.

Bhargava advocates using a combination of whitelisting
, where only applications that have been approved are
allowed into a system, and host and network intrusion prevention systems.
“These three should be mandatory on point of sale systems,” he said.

According to Bhargava, “more than 30 grocery chain brands” have adopted
SolidCore’s whitelisting solution. With support from these customers,
SolidCore is working with the PCI Council to further hone security
guidelines.

“Retailers need to be ahead of the bad guys,” Bhargava explained.
“Antivirus doesn’t protect against the self-modifying viruses the bad guys
are coming up with.”

The PCI Council could not comment by press time.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web