Credit-card security standard issued after much debate

Credit-card security standard issued after much debate

End-to-end encryption and virtualization security on horizon for credit/debit card handlers

By Ellen Messmer , Network World , 10/01/2008

Share/Email Buzz up! 3 Comments Print

The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, last week issued revised security rules. The council also indicated that next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.

Adherence to PCI rules could play a key role in preventing big data thefts, like the 2005 TJX breach, security experts say. 

New! Watch this Network World Webcast – Minimizing the Risk of Information Security Breaches: Best Practices for SOA Governance and Compliance – Live October 21

The PCI 1.2 data security standard (DSS) seeks to clarify several pieces of the earlier 12-part PCI 1.1 standard that had many confused. Among other things, Version 1.2 clarifies that all operating systems associated with card processing have to run antivirus software, while many had thought this was only about Microsoft Windows.

"That sounds like a sensible piece of advice," says Sushila Nair, product manger at BT, who says organizations often deploy antivirus on Windows but erroneously believe Unix and Macs and other operating systems are somehow more invulnerable. However, she notes accommodating the clarified PCI rule on antivirus in many places will be "expensive."

Related Content

The PCI 1.2 standard from the PCI Security Standards Council

Hannaford discloses data breach

Details emerging on Hannaford data breach

New payment-card rules on tap

Spyware: Know Your EnemyWHITEPAPER

Credit card skimming: How thieves can steal your card info without you knowing itSLIDESHOW

TriCipher launches hosted identity federation service

IBM software bundle targets retail theft, data breaches

Sun goes commercial with OpenSSO

IT Search: What it is and how it helpsWHITEPAPER

Start-up adds SSO to cloud integration platform

Retail security: ‘Knee-jerk’ standards compliance isn’t enough

View all related articles

Click to see: Chart of what's new with PCI standard

One of the biggest topics of debate at last month's PCI Council meeting was how to determine what "network segmentation" means since the standard is aimed at trying to devise technical methods to cordon off where credit cards are stored so that PCI compliance assessment can be focused on specific parts of a merchant's network involved with cardholder data.

"There was a lot of talk about network segmentation," says Sumedh Thakar, PCI solutions manager at vulnerability management and policy compliance product company Qualys. "A lot of merchants were trying to get answers. The guidelines now are to restrict access using firewalls."

The PCI 1.2 standard advises the use of "internal firewalls, routers with strong access control" and other network-restricting technologies to assure internal network segmentation for card-processing purposes.

Some IT managers say the PCI-based reviews that their organizations are now undergoing are already based on PCI 1.2 as the baseline. Such reviews are typically carried out by PCI Council-certified assessors if self-assessment procedures aren't applicable.

"It was in draft form so we decided to use that since there seemed to be no point in using 1.1 anymore," says one IT manager, who preferred not to be named. But he says his organization is finding it very difficult to isolate the network to protect specific servers and applications associated with cardholder data, plus monitor and log according to the PCI 1.2 guidelines.

Credit-card security standard issued after much debate
– Network World