GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Interchange: What gives?

Patti Murphy
The Takoma Group

News

Industry Update

Sun setting on PCI version 1.1

Bohemia, payments style

No wiggle room with Red Flag Rule

Processing for newbies

VeriFone turns triple play

Features

GS Advisory Board:
What's up in this downturn? - Part II

The payments doctor is in

ISOMetrics:
Interchange in brief

Industry Leader

Stuart C. Harvey Jr. –
In the zone

Views

Building relationships - priceless

Biff Matthews
CardWare International

Education

Street SmartsSM:
MLS compensation options

Jason Felts
Advanced Merchant Services

PCI vendors: Welcome to the jungle

Tim Cranny
Panoptic Security Inc.

What's your business?

Daniel Wadleigh
Marketing Consultant

Admit, own, fix your bloopers

Jeff Fortney
Clearent LLC

Reduce stress, raise retention

Curt Hensley
CSH Consulting

Be calendar-wise

Adam Atlas
Attorney at Law

Sweet-spot MLS training

Christian Murray
Global eTelecom Inc.

New Products

Mobile computing for feet on the street

Dolphin 9900 Mobile Computer
Honeywell International Inc.

Back office synergy online

Synergy Express
Jack Henry & Associates Inc.

Inspiration

Revamp that problem mindset

Miscellaneous

POScript

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

September 08, 2008  •  Issue 08:09:01

previous next

Sun setting on PCI version 1.1

The Payment Card Industry (PCI) Security Standards Council (SSC), managing body for the PCI Data Security Standard (DSS), disclosed a summary of proposed changes it will make to version 1.1 of the PCI DSS. Version 1.2 will take effect Oct. 1, 2008.

According to the Council, the changes to version 1.1 are intended to clarify and explain the 12 requirements of the PCI DSS. The main goal of the changes is to improve the "flexibility" of the PCI DSS in addressing the data security challenges that face the payments industry, the Council said.

Version 1.2 is also designed to eliminate redundancies in the requirements, consolidate the rules for protecting cardholder data and improve reporting requirements. The Council said version 1.2 will not introduce any new requirements.

"The bottom line is that this is a very modest, controlled in scope, incremental clean up - not a massive shift - that won't profoundly affect most people," said Tim Cranny, Chief Executive Officer of Panoptic Security Inc. "If you want a sporting analogy, this is not moving the goal posts, this is just a time out while they pick up some litter on the field."

Grill the Council

Bob Russo, General Manager of the Council, believes version 1.2 will be an improvement over version 1.1, and not a departure from proven best security practices. "By distributing a summary of the forthcoming changes, we are ensuring that stakeholders are not taken by surprise by any of the clarifications," he said.

The Council's advisory board and participating organizations have been providing feedback to the Council on the revisions.

The advisory board comprises 14 heavy hitters in the financial services and business sectors, including First Data Corp., Moneris Solutions Corp. and Microsoft Corp. Participating organizations are businesses and financial institutions involved in the worldwide payments industry that pay annual dues to the Council to have their opinions heard.

The Council anticipates almost 500 participating organizations will attend the PCI SSC's community meeting to be held in Orlando, Fla., Sept. 23 to 25, 2008.

"The summary of changes is just a draft of what we'll release in October, so there is still the opportunity for the Council to adjust to the feedback that we receive in the next few months," said Troy Leach, PCI SSC Technical Director.

"And the forum in Orlando is an opportunity for participating organizations to grill the council for two-and-a-half days, get their questions and concerns answered, and implement their feedback."

WEP is toast

Two significant changes in version 1.2 involve Requirement 9. The first change specifies that offsite cardholder data storage location operations must be visited and validated once a year. The second change is to impose a sunset date for Wired Equivalency Privacy (WEP) protocol.

WEP implementations - designed to protect data over wireless networks - will not be allowed after March 31, 2009. Current WEP users have until June 30, 2010, to switch to another wireless security platform. According to Cranny, the move away from WEP cannot happen soon enough.

"Wireless is really exposed to some fundamental threats that you don't get with cables, and this makes eavesdropping on wireless a million times easier," he said. "If you're building a wireless network today, regardless of whether or not the standard demands it of you, WEP is a bad idea, and you should avoid it."

Changes baked in Cranny recommends Wi-Fi Protected Access (WPA), a solution that he feels is superior to WEP.

According to Cranny, WPA is cost-effective and much more reliable than WEP, and it doesn't require merchants to make a huge change in their hardware.

"What we're actually seeing is that [WPA] is being baked into the revised standard, and after March 31 of next year, WEP will not be allowed to be deployed," he said.

Leach did not go as far as Cranny. After considerable response from both merchants and payment professionals, Leach said the PCI SSC concluded WEP was an insecure protocol. But Leach said the Council is evaluating several alternatives to WEP suggested by its advisory board and participating organizations.

"Really, the bottom line is that this is just an opportunity to clarify 1.2," Leach said. "When the next standard is released in 2010, the payment landscape and security issues will evolve significantly, so I think there will probably be more changes in that release of the standard."

The Council stated it reserves the right to make final revisions to version 1.2 prior to publication.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios