The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.
As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.
The PCI standard was created by the major credit card companies, including Visa, MasterCard and American Express, to try to prevent the theft of credit and debit card data from retail systems. The standard, which went into effect in June 2005, outlines 12 broad security controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data. Companies that fail to meet the requirements are subject to fines and potentially can be barred from processing payment card transactions.
Version 1.2 is due to be published on Oct. 1 as the first update of the PCI standard. The PCI council, which was set up two years ago to manage the standard, said in the summary FAQ document released this week (download PDF) that a "sunset date" has yet to be set for using the initial version of the standard. But at a minimum, companies will have at least three months after the sunset date is published to start conducting security assessments using Version 1.2, the council said.
Most of the upcoming changes appear to be relatively minor refinements to the existing security controls, according to Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. "There really isn't anything here that should be too troubling for organizations," he said.
For example, changes are being made to the requirements related to deployment of software patches. Huguelet said that PCI 1.2 will allow companies to adopt more risk-based approaches to deploying patches instead of requiring them to install relevant patches within one month of the fixes being released, as is the case now. That will enable IT and security managers to use more of their own judgment in determining how quickly to patch systems based on their own threat assessments, he added.
Similarly, under Version 1.2, companies will be required to review their firewall rules only once every six months, as opposed to the quarterly requirement set by the current PCI standard.
On the other hand, the new version will require companies to stop using the Wired Equivalent Privacy (WEP) protocol to secure wireless communications involving cardholder data. New implementations of WEP won't be allowed after next March, while current wireless setups based on that protocol must be discontinued by June 30, 2010.
Going forward, wireless security will need to be based on stronger authentication protocols, such as the Wi-Fi Protected Access specification and its more advanced WPA2 cousin. "We are drawing the line in the sand here," said Bob Russo, the PCI council's general manager. "WEP is just not going to cut it."
In addition, companies that maintain off-site data storage facilities will be required to visit them at least once annually under PCI 1.2.
The new version is a "definite improvement" on the existing PCI standard, said Avivah Litan, an analyst at Gartner Inc. But, she added, the PCI council appears to have missed a chance to introduce some other long-needed changes.
According to Litan, one of the biggest issues with the PCI standard is that it makes very little distinction between networks belonging to large companies that process large volumes of card transactions and those belonging to businesses with much smaller transaction volumes. In large, complex network environments, it's often hard to say what exactly is covered by PCI and what isn't, she said. The standard, Litan claimed, allows for too much interpretation and leaves it entirely to PCI assessors to determine the scope of what needs to be protected.
Moreover, the standard is targeted primarily at e-commerce systems and isn't always clear on how the requirements should be applied in highly distributed brick-and-mortar environments, Litan said. For instance, many retailers continue to connect servers at each of their stores to systems in other locations — but thus far, at least, the PCI standard has provided little guidance on that risky practice.
Litan said there also is considerable ambiguity surrounding the requirements for third-party service providers, such as call centers that might be processing cardholder data on behalf of retailers. "What are your obligations," she asked, "if you are taking in card numbers and phone numbers and entering them into systems that are not yours?"
Another key missing element is guidance on how end-to-end encryption of cardholder data would affect a company's compliance obligations, Litan said.
To Litan, the new version of the standard would have been an ideal opportunity for the PCI council to have incorporated language clarifying such issues. "The questions that come up every day are not addressed at all by this upgrade," she said. "This is just really more of tinkering around the edges."
In response to Litan's comments, Russo said the updates being made in PCI 1.2 were based on feedback received over the past 18 months from more than 500 companies that are members of the PCI council. The changes address all of the concerns raised about the initial version of the standard during the feedback process, he said, adding that a few further clarifications likely will be made before the revised standard is released.
The primary focus in Version 1.2, Russo said, was to add language that clarifies certain requirements and makes PCI "a little more flexible" from an implementation standpoint — not to introduce major new requirements or change the existing ones in a big way. "That's the reason we're calling this Version 1.2 and not Version 2.0," he said.
Separately, the PCI council is developing a new quality assurance process designed to ensure that the PCI compliance assessors it certifies meet certain minimum requirements, Russo said. That move is an apparent response to complaints about the inconsistent auditing practices used by assessors in determining whether companies are compliant with the PCI requirements.
Russo said that in the future, assessors will have to submit to periodic assessments of their own processes by a QA team that the council is setting up. The planned QA assessment methods have been vetted by several third-party auditing bodies to ensure that they meet industry standards and best practices, he added.