PCI DSS 1.1

New security rules on tap for credit-card handlers
Next version of Payment Card Industry security standard due out in October
By Ellen Messmer , Network World , 08/28/2008

ICompanies that handle credit cards can expect to see revised security rules released in early October, according to the group responsible for maintaining the Payment Card Industry security standard for storage and processing of credit and debit cards.
The next version of the 12-part PCI Data Security Standard is aimed at clarifying questions that merchants and service providers had regarding the current PCI DSS 1.1 standard, says Bob Russo, general manager of the PCI Security Standards Council. Some changes in the forthcoming Version 1.2 may prompt merchants and service providers to make adjustments in their security practices to achieve PCI compliance in the future, he adds.
Read the latest WhitePaper - Determining the cause of poor application performance
Click to see: Bob Russo, manager of PCI's Security Standards Council
"We're still tweaking this, but we expect to be finished by September 8th," Russo says. DSS 1.2 will be shared with council members including merchants; card association founders, such as Visa and MasterCard; card processors; and vendors certified to perform network scans or audits as part of the PCI compliance process.
Related Content
Payment card standards body moves ahead on application standard
PCI standard's mandate raises conflict-of-interest question
Payment Card Industry updateBLOG
PCI standards body moves ahead on payment-application cert
Changes to PCI standard not expected to up the ante
TriCipher offers strong authentication as a serviceBLOG
Cisco unwraps blueprint for healthcare security
Sun offering support for OpenSSOView all related articles
The PCI DSS 1.2 document will be presented at the council's upcoming community meetings in Orlando and Brussels. Upon the official October publication of PCI DSS 1.2, the council will set deadlines for supporting the revised standard. Under discussion now is a sunset date of June 30, 2009 for PCI DSS 1.1.
PCI DSS 1.2 is not yet final, but the council is previewing what businesses can expect to see by October.
For one thing, there will be a clarification on the first rule related to using firewalls to protect cardholder data; the revised standard will change the requirement to review firewall rules from every quarter to every six months.
The council also will remove references to Wired Equivalency Privacy (WEP) to emphasize the use of stronger encryption and authentication for wireless networks. Companies using wireless technologies will be expected to implement "industry best practices," including 802.11x. Specifically, new implementations of WEP are not expected to be allowed after March 31, 2009, though current implementations could continue longer -- until June of next year, under the council's current thinking.
In addition, the revised standard probably will remove the requirement to disable service-set identifier (SSID) broadcast, because disabling SSID broadcast does not prevent a malicious user from determining the SSID, according to the council.
Among other clarifications, the revised standard will note that the requirement to use antivirus software extends to all operating system types. Software patching revisions will clarify that a "risk-based approach" for prioritization of patch installation is acceptable. In the matter of assigning a unique ID to each person for computer access, the Version 1.2 standard is expected to clarify that both passwords and passphrases — authentication challenges that require answers that the user should know — are acceptable for PCI compliance.
Want to compare security products? Visit the IT Buyer's Guides now.
A clarification related to restricting physical access to cardholder data makes it clear that this requirement also pertains to paper-based media containing cardholder data, as well as electronic media.
Some other clarifications are expected to detail the need for a protected environment to preserve an audit trail for network resources related to cardholder data. For instance, revised language will clarify that three months of audit-trail history must be immediately available for analysis or quickly accessible. In addition, the council will seek to clarify that both internal and external penetration tests are required.
After the release of PCI DSS 1.2, the next major change to the PCI security standard isn't likely soon, Russo says. "We're hoping to stick to a two-year cycle after that," he says. PCI DSS 1.2 has been under discussion for more than a year as the council reviewed the 2,500 questions it received.