Credit-card security standard issued after much debate

End-to-end encryption and virtualization security on horizon for credit/debit card handlers.

The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, Wednesday issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.

The PCI 1.2 data security standard (DSS) -- the subject of debate as it was edging toward finalization at last week's Council meeting in Orlando where about 625 attendees from the retailing sector and the high-tech industry showed up to discuss it -- seeks to clarify several parts of the earlier 12-part PCI 1.1 standard that had many confused.

For instance, it clarifies that all operating systems associated with card processing have to run antivirus software, while many had thought this was only about Microsoft Windows.

"That sounds like a sensible piece of advice," says Sushila Nair, product manger at BT, who says organizations often deploy antivirus on Windows but erroneously believe Unix and Macs and other operating systems are somehow more invulnerable. However, she notes accommodating the clarified PCI rule on antivirus in many places will be "expensive."

One of the biggest topics of debate at the PCI meeting is how to determine what "network segmentation" means because the PCI standard is aimed at trying to devise technical methods to cordon off where credit cards are stored so that PCI compliance assessment can be focused on specific parts of a merchant's network involved with cardholder data, not the entire enterprise.

"There was a lot of talk about network segmentation," says Sumedh Thakar, PCI solutions manager at Qualys, who attended the council meeting in Orlando. "A lot of merchants were trying to get answers. The guidelines now are to restrict access using firewalls."

The PCI 1.2 standard focuses a lot of its first pages on network segmentation. The document states that network segmentation today "is not a requirement," but that "without network segmentation [sometimes called a 'flat network'] the entire network is in the scope of the PCI DSS assessment."

Because the goal of compliance is to gauge what's in the scope of the PCI DSS, the PCI 1.2 standard advises the use of "internal firewalls, routers with strong access control" and other network-restricting technologies to assure internal network segmentation for card-processing purposes.

Bob Russo, general manager at the Council, said he expects the group to issue recommendations next year in the form of a white paper and possibly update or refine the guidance on it.

Qualys on Wednesday introduced a Web-application scanning service targeted at satisfying the new requirement that part 6.6 of PCI 1.2 brings for conducting vulnerability tests of Web-facing applications "at least annually or after any changes." An alternate technology allowed in PCI 1.2 in the 6.6 rule would be installing a Web application firewall.

One new rule expected to have some impact on merchants with wireless networks is not allowing after March 31 of next year new implementations of the Wired Equivalent Privacy (WEP), deemed to be too weak, , and that all WEP must be phased out by June 2010. The Wi-Fi Protected Access standard is advocated in its place.

"WEP is going to be the biggest issue the merchants face out of this," Russo predicts.

Even as merchants and other organizations processing credit cards pore over the 73-page PCI 1.2 standard document to figure out the changes so they can make adjustments to ensure PCI compliance for their next annual review required by their merchant banks, they need to know that other changes are in the wind for next year.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags pci standard

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?