New credit card security rules to have impact

An upcoming revision of the Payment Card Industry (PCI) Data Security Standard (DSS) will impact the way banks, merchants and financial service providers deploy new technology, say industry watchers.

Scheduled for launch Wednesday, updates in PCI DSS version 1.2 are "relatively minor" and primarily focused on clarification of the guidelines, Dave Howell, RSA's senior manager for PCI solutions, told ZDNet Asia in an e-mail interview Tuesday. However, Howell noted that there are "some noteworthy changes that will impact compliance efforts moving forward".

The PCI DSS is a set of guidelines, governed by the PCI Security Standards Council, aimed at tightening customer data security, preventing fraud and keeping out security vulnerabilities. Organizations that store, process or transmit credit or debit cardholder data have to be compliant with the guidelines, which were first established in January 2005.

PCI DSS 1.1, the current version, was released in September 2006.

One significant change in the new version, Howell said, is the use of WEP (Wired Equivalent Privacy) in managing cardholder data. Under Requirement 4 of the framework, which calls for the transmission of cardholder data across open or public networks to be encrypted, new WEP implementations will not be allowed after next March. Current implementations must be discontinued after Jun. 30, 2010.

Howell said: "This may mean some work for organizations that currently have WEP deployments, as they move to strong cryptography."

In version 1.1, the security council recommended encrypting cardholder data transmissions using Wi-Fi protected access (WPA or WPA2) technology, and required stakeholders not to rely exclusively on WEP as a means to protect confidentiality and access to a wireless LAN.

Described as one of the weakest forms of security for wireless LANs, WEP encryption reportedly can be broken within seconds. Last year, over 45 million customer records of U.S. apparel retailer TK Maxx were compromised after its parent company's wireless network, secured using WEP, was hacked.

Some flexibility, more checks
RSA's Howell said compliant organizations will have added flexibility in security patching, with the introduction of a risk-based approach. This framework allows organizations to focus first on addressing risks that pose the greatest threat, "rather than the previous mandate of installing all patches, regardless of the actual threat, within 30 days", he explained.

Another updated requirement specifies that logs from external-facing technologies such as firewalls or domain name servers, must be copied to an internal log server, said Howell. Audit trail history of three months also needs to be immediately available for analysis or be quickly accessible via the Web or archival.

"These updates will be challenging for...organizations using log management platforms that do not support a wide variety of log formats, or those that use a relational database where efficiently storing all the log data in its entirety may be problematic", he explained.

Uantchern Loh, Deloitte's regional managing partner for enterprise risk services in the Asia-Pacific region, also noted that an area that could potentially influence the technology refresh plans of compliant organizations involves the need to subject their public-facing Web applications to greater checks. This requires them to either carry out vulnerability assessments at periodic intervals, or implement an application-layer firewall, Loh said in an e-mail interview.

Under the revised guidelines, compliant organizations would also need to provide antivirus protection for all operating systems. While the current version called for antivirus software to be installed on systems commonly affected by viruses, it noted that Unix-based operating systems or mainframes are typically not included in this list.

Despite the changes, Loh said Asian organizations will be prepared to comply with PCI DSS v1.2, given their exposure to the guidelines and a heightened awareness of a secured business environment.

"The immediate challenge for [banks, merchants and service providers] would be in terms of the upgrading investments, and work that needs to be carried out to comply with the new guidelines, particularly in the current economic climate," he noted. "However, ultimately, these organizations are likely to comply, driven by their motivation to provide their customers with higher standards of service and greater assurance of secured management of their card holder information."

Payment card brands Visa and Mastercard were unable to respond in time for the article.