The latest version of the Payment Card Industry Data Security Standard contains no dramatic changes, imposes a few new requirements on merchants and adds some flexibility in the rules that govern the handling of credit and debit card data.
Version 1.2 of the standard was issued last week by the PCI Security Standards Council. PCI is a common set of data security rules that payment card companies Visa, MasterCard, American Express, Discover and JCB have adopted. The rules apply to any organization that handles payment card data, including online and offline retailers, banks and processors.
“It’s a testament to the original standard, version 1.1, that the changes were not drastic,” says Bob Russo, general manager of the PCI Security Standards Council. “They are mostly clarifications, with a couple of lines drawn in the sand.”
Among the latter is a requirement that retailers phase out use of a wireless security technology known as WEP, which is no longer considered strong enough to withstand unauthorized intrusions into computer networks. The new PCI standard does not allow any new implementations of WEP after March 2009, and says current installations must be replaced by June 30, 2010.
The change stems in part from a number of data breaches that occurred when hackers broken into wireless networks in stores, and used that foothold to access data on millions of credit and debit cards stored in merchant computer systems. While acknowledging that WEP may have been in use in some of those breaches, Russo points out that if the merchants had not been improperly storing cardholder data the break-ins would not have been damaging.
One example of new flexibility in PCI is that firewalls must be reviewed every six months rather than every three months. And the new rules ease the requirement that a security patch be installed within 30 days of release of the patch. Russo says some larger retailers typically take 60 to 90 days to test and install patches, and that the new rule only requires installation of a patch within 30 days when there is a significant possibility of a data compromise. “It’s a risk-based approach,” Russo says.
Among the new requirements is that computer network logs be maintained for three months, so that analysts have enough data to identify any data breach that does occur. The previous standard did not specify the length of time an audit trail had to be maintained.
Version 1.2 also highlights the requirement that every company at least once a year update its security policies and make sure employees and vendors are familiar with the policies. Retailers are responsible for their payment processors and other vendors complying with PCI, Russo notes.
The PCI standard is updated every two years by the PCI Security Standards Council, which maintains PCI and two other security standards. The organization has more than 520 members, including such major multi-channel retailers as Staples, No. 2 in the Internet Retailer Top 500 Guide, No. 6 OfficeMax, No. 11 QVC, No. 12 Best Buy, No. 14 Wal-Mart, No. 15 J.C. Penney, No. 21 Williams-Sonoma and No. 37 Barnes & Noble.
Back...
