PCI security

In the wake of heavily publicized breaches such as the one at TJX that are reported to have been the result of inadequate wireless transmission security, the credit card industry has broadened its security standards.

The PCI Security Standards Council, which governs the standard, yesterday unveiled version 1.2 of PCI Data Security Standards, or PCI-DSS (define). This security for credit card transactions will be available for merchant use on Oct. 1, the organization reported.

Although the Council says version 1.2 will "not introduce any major new requirements" and will only "introduce clarifying items," it has introduced important changes. The updates include requirements for PCI-DSS 6.6, which came into effect June 30.

Version 1.2 drops the Wired Equivalent Privacy, or WEP (define), wireless security protocol in favor of the newer IEEE 802.11x standard (define). It also adds monitoring capabilities for removable electronic media, e-mail, Web, laptops and PDAS. In addition, it tightens up security requirements for employees of companies the PCI-DSS governs.

PCI-DSS version 1.2 will be made available to participating organizations in the first week of September and will be discussed further in detail at the Council's Community Meeting in Orlando, Fla., Sept. 23–25. Follow-on discussions will be held at the Council's second community meeting in Brussels, Belgium, October 22-23.

"The idea is not to introduce new requirements, but some clarifications will lead to certain changes in the way you do things," Sumedh Thakar, PCI solutions manager at on-demand vulnerability management and policy compliance solutions vendor Qualys, told InternetNews.com.

For example, Version 1.2 says retailers can either have a Web application firewall in front of customer-facing solutions or conduct automated or manual vulnerability scan, whereas PCI-DSS 6.6 recommended they use the firewall or harden their source code.

Thakar welcomed this change because "a vulnerability scan is more doable and less expensive than going through your source code." Instead of having to go through possibly millions of lines of source code, companies can run a scan then focus on detected vulnerabilities in the code and remedy those. <

Another change that Thakar likes is the Council's formally ruling out the use of WEP, which has, since 2001, been known to be easy to crack. "The standard has always recommended that WEP not be used, but now they're putting in a timeline," Thakar said.

Version 1.2 says that new implementations of wireless networks cannot use WEP implementations after March 31, 2009, and current implementations must get rid of WEP by June 30, 2010. It recommends using IEEE 802.11x or stronger encryption. Wi-Fi Protected Access 2 (WPA2) (define) and IEEE 802.11x are stronger protocols, Thakar said.

Thakar also gave the thumbs-up to the inclusion of PDAs in Version 1.2. "There are so many companies now using the new iPhones, which can connect over a virtual private network to your company network," he said.

This article was first published on InternetNews.com. To read the full article, click here.