New security rules on tap for credit-card handlers

Companies that handle credit cards can expect to see revised security rules released in early October, according to the group responsible for maintaining the Payment Card Industry security standard for storage and processing of credit and debit cards.

The next version of the 12-part PCI Data Security Standard is aimed at clarifying questions that merchants and service providers had regarding the current PCI DSS 1.1 standard, says Bob Russo, general manager of the PCI Security Standards Council. Some changes in the forthcoming Version 1.2 may prompt merchants and service providers to make adjustments in their security practices to achieve PCI compliance in the future, he adds.

"We're still tweaking this, but we expect to be finished by September 8th," Russo says. DSS 1.2 will be shared with council members including merchants; card association founders, such as Visa and MasterCard; card processors; and vendors certified to perform network scans or audits as part of the PCI compliance process.

The PCI DSS 1.2 document will be presented at the council's upcoming community meetings in Orlando and Brussels. Upon the official October publication of PCI DSS 1.2, the council will set deadlines for supporting the revised standard. Under discussion now is a sunset date of June 30, 2009 for PCI DSS 1.1.

PCI DSS 1.2 is not yet final, but the council is previewing what businesses can expect to see by October.

For one thing, there will be a clarification on the first rule related to using firewalls to protect cardholder data; the revised standard will change the requirement to review firewall rules from every quarter to every six months.

The council also will remove references to Wired Equivalency Privacy (WEP) to emphasize the use of stronger encryption and authentication for wireless networks. Companies using wireless technologies will be expected to implement "industry best practices," including 802.11x. Specifically, new implementations of WEP are not expected to be allowed after March 31, 2009, though current implementations could continue longer -- until June of next year, under the council's current thinking.

In addition, the revised standard probably will remove the requirement to disable service-set identifier (SSID) broadcast, because disabling SSID broadcast does not prevent a malicious user from determining the SSID, according to the council.

Among other clarifications, the revised standard will note that the requirement to use antivirus software extends to all operating system types. Software patching revisions will clarify that a "risk-based approach" for prioritization of patch installation is acceptable. In the matter of assigning a unique ID to each person for computer access, the Version 1.2 standard is expected to clarify that both passwords and passphrases -- authentication challenges that require answers that the user should know -- are acceptable for PCI compliance.