PCI groups to focus on wireless, pre-authorization changes

By Robert Westervelt, News Editor 21 Aug 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The PCI Security Standards Council has quietly introduced two special interest groups (SIG) designed to recommend future changes to the data security standards.

The wireless area is one that changes so rapidly that it's hard to keep up and something that we have to address and keep up on regularly. Bob Russo, general manager, PCI Security Standards Council

The two groups, formed recently, will focus on addressing the security of credit card data prior to authorizing a transaction and the wireless transmission of credit card information, said Bob Russo, general manager of the PCI Security Standards Council.

The pre-authorization group may focus on how the standards could address pre-authorization of data storage, which is currently managed by the individual card brands.

The wireless SIG will focus on rapidly changing wireless security issues, Russo said. There also have been a number of clarifications to the standards addressing the transmission of wireless data.

"When the standard comes out at the end of September there will be more clarifications and more tweaking, especially in this particular area," Russo said. "The wireless area is one that changes so rapidly that it's hard to keep up and something that we have to address and keep up on regularly."

The group focusing on wireless issues met two weeks ago. The pre-authorization group will meet next week to get organized and establish objectives, Russo said.

SearchSecurity radio:

The council released a summary of the clarifications being issued in version 1.2 of the PCI standards. Due out in October, the latest version will remove references to WEP security to get organizations to use stronger encryption over wireless networks. New implementations of WEP are not allowed after March 31, 2009. Current implementations must discontinue use of WEP after June 30, 2010. Pre-authorization security is not addressed in the latest clarifications, nor is it addressed in version 1.1 of the standards.

"I don't really see 1.2 as a major change for people," Russo said. "If you've already started down the road on 1.1 there's no need to worry about changes."

In addition to a clarification addressing antivirus software -- making antivirus a requirement for all operating systems -- version 1.2 also addresses patching, specifying a risk-based approach to be used to prioritize patch deployments. Russo said the council is being more flexible with patching since it could take large companies more than 30 days to properly test patches before they are deployed.

"We didn't want to make a blanket statement that everything must take 30 days," Russo said. "A standard patching policy is ok, but each patch has to be looked at for the risk that it addresses. … based on a risk-based approach."

The SIGs are led by a member of the PCI board of advisors. Participating organizations may assign a representative to take part in the SIG and propose additional groups to focus on topics of concern, Russo said.

"These are truly special interest groups that are run by the participating organizations.".

The two groups will present their goals and objectives in a session at the council's Community Meeting in September 23-25 in Orlando.

Tags: PCI compliance,  Industry-specific requirements for compliance,  Data retention and compliance software,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI compliance IT compliance: FAQs about IT operations, regulations and standards Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more Priorities for your sound regulatory compliance management policy Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Security and compliance can go together, when done in the right order Nonprofits are working to maintain donor trust with PCI compliance PCI DSS compliance fails to raise the bar on financial fraud PCI DSS compliance requires better management of vendor risk Industry-specific requirements for compliance Brokerage invests in social media archiving for FINRA compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act Data retention and compliance software Brokerage invests in social media archiving for FINRA compliance Data loss prevention technology matures but is still no cure-all Record locator service a step to health information exchange Be ready for electronic discovery with a records retention policy Discovery process puts onus on electronic records management tools Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Podcast: New Massachusetts data protection law mandates IT compliance How State Farm saves millions on electronic data discovery Hacked dental school server compromises 300,000

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary