The Green Sheet Online Edition
September 08, 2008 • Issue 08:09:01
Sun setting on PCI version 1.1
The Payment Card Industry (PCI) Security Standards Council (SSC), managing body for the PCI Data Security Standard (DSS), disclosed a summary of proposed changes it will make to version 1.1 of the PCI DSS. Version 1.2 will take effect Oct. 1, 2008.
According to the Council, the changes to version 1.1 are intended to clarify and explain the 12 requirements of the PCI DSS. The main goal of the changes is to improve the "flexibility" of the PCI DSS in addressing the data security challenges that face the payments industry, the Council said.
Version 1.2 is also designed to eliminate redundancies in the requirements, consolidate the rules for protecting cardholder data and improve reporting requirements. The Council said version 1.2 will not introduce any new requirements.
"The bottom line is that this is a very modest, controlled in scope, incremental clean up - not a massive shift - that won't profoundly affect most people," said Tim Cranny, Chief Executive Officer of Panoptic Security Inc. "If you want a sporting analogy, this is not moving the goal posts, this is just a time out while they pick up some litter on the field."
Grill the Council
Bob Russo, General Manager of the Council, believes version 1.2 will be an improvement over version 1.1, and not a departure from proven best security practices. "By distributing a summary of the forthcoming changes, we are ensuring that stakeholders are not taken by surprise by any of the clarifications," he said.
The Council's advisory board and participating organizations have been providing feedback to the Council on the revisions.
The advisory board comprises 14 heavy hitters in the financial services and business sectors, including First Data Corp., Moneris Solutions Corp. and Microsoft Corp. Participating organizations are businesses and financial institutions involved in the worldwide payments industry that pay annual dues to the Council to have their opinions heard.
The Council anticipates almost 500 participating organizations will attend the PCI SSC's community meeting to be held in Orlando, Fla., Sept. 23 to 25, 2008.
"The summary of changes is just a draft of what we'll release in October, so there is still the opportunity for the Council to adjust to the feedback that we receive in the next few months," said Troy Leach, PCI SSC Technical Director.
"And the forum in Orlando is an opportunity for participating organizations to grill the council for two-and-a-half days, get their questions and concerns answered, and implement their feedback."
WEP is toast
Two significant changes in version 1.2 involve Requirement 9. The first change specifies that offsite cardholder data storage location operations must be visited and validated once a year. The second change is to impose a sunset date for Wired Equivalency Privacy (WEP) protocol.
WEP implementations - designed to protect data over wireless networks - will not be allowed after March 31, 2009. Current WEP users have until June 30, 2010, to switch to another wireless security platform. According to Cranny, the move away from WEP cannot happen soon enough.
"Wireless is really exposed to some fundamental threats that you don't get with cables, and this makes eavesdropping on wireless a million times easier," he said. "If you're building a wireless network today, regardless of whether or not the standard demands it of you, WEP is a bad idea, and you should avoid it."
Changes baked in Cranny recommends Wi-Fi Protected Access (WPA), a solution that he feels is superior to WEP.
According to Cranny, WPA is cost-effective and much more reliable than WEP, and it doesn't require merchants to make a huge change in their hardware.
"What we're actually seeing is that [WPA] is being baked into the revised standard, and after March 31 of next year, WEP will not be allowed to be deployed," he said.
Leach did not go as far as Cranny. After considerable response from both merchants and payment professionals, Leach said the PCI SSC concluded WEP was an insecure protocol. But Leach said the Council is evaluating several alternatives to WEP suggested by its advisory board and participating organizations.
"Really, the bottom line is that this is just an opportunity to clarify 1.2," Leach said. "When the next standard is released in 2010, the payment landscape and security issues will evolve significantly, so I think there will probably be more changes in that release of the standard."
The Council stated it reserves the right to make final revisions to version 1.2 prior to publication.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.