PCI groups to focus on wireless, pre-authorization changes

By Robert Westervelt, News Editor 21 Aug 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The PCI Security Standards Council has quietly introduced two special interest groups (SIG) designed to recommend future changes to the data security standards.

The wireless area is one that changes so rapidly that it's hard to keep up and something that we have to address and keep up on regularly. Bob Russo, general manager, PCI Security Standards Council

The two groups, formed recently, will focus on addressing the security of credit card data prior to authorizing a transaction and the wireless transmission of credit card information, said Bob Russo, general manager of the PCI Security Standards Council.

The pre-authorization group may focus on how the standards could address pre-authorization of data storage, which is currently managed by the individual card brands.

The wireless SIG will focus on rapidly changing wireless security issues, Russo said. There also have been a number of clarifications to the standards addressing the transmission of wireless data.

"When the standard comes out at the end of September there will be more clarifications and more tweaking, especially in this particular area," Russo said. "The wireless area is one that changes so rapidly that it's hard to keep up and something that we have to address and keep up on regularly."

The group focusing on wireless issues met two weeks ago. The pre-authorization group will meet next week to get organized and establish objectives, Russo said.

SearchSecurity radio:

The council released a summary of the clarifications being issued in version 1.2 of the PCI standards. Due out in October, the latest version will remove references to WEP security to get organizations to use stronger encryption over wireless networks. New implementations of WEP are not allowed after March 31, 2009. Current implementations must discontinue use of WEP after June 30, 2010. Pre-authorization security is not addressed in the latest clarifications, nor is it addressed in version 1.1 of the standards.

"I don't really see 1.2 as a major change for people," Russo said. "If you've already started down the road on 1.1 there's no need to worry about changes."

In addition to a clarification addressing antivirus software -- making antivirus a requirement for all operating systems -- version 1.2 also addresses patching, specifying a risk-based approach to be used to prioritize patch deployments. Russo said the council is being more flexible with patching since it could take large companies more than 30 days to properly test patches before they are deployed.

"We didn't want to make a blanket statement that everything must take 30 days," Russo said. "A standard patching policy is ok, but each patch has to be looked at for the risk that it addresses. … based on a risk-based approach."

The SIGs are led by a member of the PCI board of advisors. Participating organizations may assign a representative to take part in the SIG and propose additional groups to focus on topics of concern, Russo said.

"These are truly special interest groups that are run by the participating organizations.".

The two groups will present their goals and objectives in a session at the council's Community Meeting in September 23-25 in Orlando.

Tags: PCI compliance,  Industry-specific requirements for compliance,  Data retention and compliance software,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI compliance Scale aside, cloud computing compliance still worries IT managers Nevada toughens data protection law with crypto, PCI requirements Is all the PCI DSS compliance whining and complaining justified? Startup helps turn carbon footprint management into cost savings Why it may not be ideal for your lawyer to be your compliance officer Cloud computing forecast: Some risk ahead Leveraging your business intelligence resources for compliance Kill-switch bill would add certification, licensing burdens Are you out of the loop on state data breach notification laws? Enforcement date for FACT's Red Flags Rule approaches Industry-specific requirements for compliance Critical infrastructure at risk to cyberattacks: What you can do Nevada toughens data protection law with crypto, PCI requirements Is all the PCI DSS compliance whining and complaining justified? Top regulatory compliance trends that will affect IT in 2009 What's in the White House Cyberspace Policy Review you need to know? Startup helps turn carbon footprint management into cost savings Dumped patient records underscore tougher HIPAA compliance rules Cloud computing forecast: Some risk ahead Mass. Senate seeks to amend, weaken data breach notification law Voices from RSA: CA's Dave Hansen on compliance strategy Data retention and compliance software Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Hacked dental school server compromises 300,000 Data center virtualization: Four steps to compliance Google amends log retention rules, privacy advocates respond Clearwell makes its electronic discovery search more transparent Legal Expert: MDM can advance compliance goals Digitized data creates storage management and compliance challenges E-records management moves up the state CIO agenda HP targets compliance officers with refreshed database archiving software

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary