The PCI Security Standards Council has quietly introduced two special interest groups (SIG) designed to recommend
future changes to the data security standards.
The two groups, formed recently, will focus on addressing the security of credit card data prior to authorizing a transaction and the wireless transmission of credit card information, said Bob Russo, general manager of the PCI Security Standards Council.
The pre-authorization group may focus on how the standards could address pre-authorization of data storage, which is currently managed by the individual card brands.
The wireless SIG will focus on rapidly changing wireless security issues, Russo said. There also have been a number of clarifications to the standards addressing the transmission of wireless data.
"When the standard comes out at the end of September there will be more clarifications and more tweaking, especially in this particular area," Russo said. "The wireless area is one that changes so rapidly that it's hard to keep up and something that we have to address and keep up on regularly."
The group focusing on wireless issues met two weeks ago. The pre-authorization group will meet next week to get organized and establish objectives, Russo said.
The council released a summary of the clarifications being issued in version 1.2 of the PCI standards. Due out in October, the latest version will remove references to WEP security to get organizations to use stronger encryption over wireless networks. New implementations of WEP are not allowed after March 31, 2009. Current implementations must discontinue use of WEP after June 30, 2010. Pre-authorization security is not addressed in the latest clarifications, nor is it addressed in version 1.1 of the standards.
"I don't really see 1.2 as a major change for people," Russo said. "If you've already started down the road on 1.1 there's no need to worry about changes."
In addition to a clarification addressing antivirus software -- making antivirus a requirement for all operating systems -- version 1.2 also addresses patching, specifying a risk-based approach to be used to prioritize patch deployments. Russo said the council is being more flexible with patching since it could take large companies more than 30 days to properly test patches before they are deployed.
"We didn't want to make a blanket statement that everything must take 30 days," Russo said. "A standard patching policy is ok, but each patch has to be looked at for the risk that it addresses. … based on a risk-based approach."
The SIGs are led by a member of the PCI board of advisors. Participating organizations may assign a representative to take part in the SIG and propose additional groups to focus on topics of concern, Russo said.
"These are truly special interest groups that are run by the participating organizations.".
The two groups will present their goals and objectives in a session at the council's Community Meeting in September 23-25 in Orlando.