On October 1, The Payment Card Industry Data Security Standard (PCI DSS) will undergo significant changes.
E-Commerce Times does a good job of outlining PCI DSS v. 1.2. The new iteration of PCI contains no revolutionary changes. Instead, the PCI Council has tightened and added clarity to the 12 rules that were put in place with the adoption of Version 1.1 in September 2006. Though companies will be able to implement the changes gradually, they should begin paying attention now.
One expert, though he characterizes the changes as small, says some have "significant implications." Among the most important are the placement of firewalls around routers and increased attention to antivirus software. The wired equivalent protocol (WEP) no longer will be used for wireless security.
A good level of detail and explanation, especially surrounding the end of the WEP era as it pertains to transmission of credit card data, is available in this CSO Online Q&A with Bob Russo and Troy Leach, the PCI Security Standards Council General Manager and its Technical Director, respectively. Russo said that exceptions are possible, but in general no new WEP implementations will be allowed after March 2009, and existing implementations will need to be WEP-free by the end of June 2010. Leach says that WEP is considered so risky that even current implementations require many caveats that are confusing to some merchants. This contributed to the decisions to phase out WEP completely.
It is possible that The Aberdeen Group timed the release of its report "PCI DSS and Protecting Cardholder Data" to roughly coincide with the advent of version 1.2 of the standard. In any case, the firm found that organizations that did the best job of adopting the new standards reduced failed audits by 40 percent to 50 percent and reduced the time and cost to address these situations compared to a year ago.
The name of this blog -- PCI DSS News and Information -- makes it a definite bookmark for companies that must deal with PCI. This post at the site raises an important issue. The writer -- and the Aegenis Newsletter, from which it excerpts liberally -- suggests that companies sometimes don't get a second opinion on their PCI needs. Often, the writer says, people in an organization advocating a particular path for PCI have only a superficial understanding of the sector. The company often accepts the guidance without getting a second opinion. The post doesn't go into detail on any particular PCI issue, but simply counsels executives to exercise caution and do the research that befits such an important decision. There are two valuable elements to this story in The Tech Herald. In addition to validating the idea that version 1.2 of the rules represents no sea change from the original standard, the piece reiterates the six principles upon which both versions of the standards are based. The writer also points out that companies using version 1.1 will be able to finish ongoing assessments without implementing the newer version, even if the work finishes after October 1. The writer points out that The PCI Security Standards Council will hold two meetings, on September 23 to 25 in Orlando, Fla., and October 22 to 23 in Brussels, in which the standards will be discussed in detail.