Yesterday the SSC released a 4 page summary document of changes to the PCI-DSS. The next version of the DSS is due out on October 1 this year.
So how's it look? Overall, we're pretty encouraged. The core changes relate to wording clarification and will help merchants and retailers to understand available options for compensating controls.
As with any update, though, it looks like this one might have introduced some big questions as it simultaneously answered many others. Let's take a closer look:
Requirement 1 – “…review of firewall rules, from quarterly to every 6 months…”
This one is going to make a lot of happy – though we hope the DSS stresses review for change management assessment and control every time a change to the rules takes place.
Requirement 3 – “Emphasized use of consistent terms throughout, such as “PAN” and ‘strong cryptography’”
Another good move, we can’t tell you how many times we’ve been asked what the council means by “strong crypto” – having clarification will make answering this easier for merchants and retailers.
Requirement 6 – “Added flexibility to the patching requirement by specifying that a risk-based approach may be used to prioritize patch installation”
The end of the 30 day mandatory patch cycle? We can hear the cheers going up around the globe.Consider: retailer “A” who willy-nilly installs a patch into production vs. retailer “B” who wants to test thoroughly,
prioritize, and follow a robust pre-production process. Under the old rules, retailer “B” (who arguably has a better process) would be penalized and retailer “A” would be OK. Now they’re both in good standing. This is a good move.
Requirement 9 – “Provided flexibility in the requirement for cameras to allow organizations to select other appropriate access control mechanisms”
Ah! This one caused many merchants concern, especially in smaller stores and for all POS – this change will be welcome and does not need to impact overall security if the controls in the 1.2 version are robust and well thought out. Now your local steakhouse won’t be out of compliance for not having cameras in the dining room!
"Clarified that the requirement to secure media applies to electronic and paper media that contains
cardholder data”
This might be a good news/bad news one. We’ve long counseled that the DSS refers to electronic and paper – some companies have tried to ignore the paper protection requirements. For security professionals, we do feel this will be welcome as it will clarify the requirements and help explain procedure and control decisions to executives who may have thought the DSS applied to e-data only.
Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission.
Wait – is 802.1X* now required for transmission? Does this mean SSL/TLS and IPSec are no longer viable options? This could cause problems for retailers with large legacy wireless networks and that may not support 802.1X without a forklift upgrade.
“New implementations of WEP are not allowed after March 31, 2009… Current implementations must discontinue use of WEP after June 30, 2010
This is going to hurt. Keep in mind that a number of “out of the box” PoS packages rely on WEP for proper operation. I’m wondering what the blowback will be from retailers who have to replace their entire at every retail location before March 2009. I wouldn’t want to be on the other side of that conference call.
Requirement 5 – “Clarified that requirement for use of anti-virus software applies to all operating system types”
*Really*? Vendors with AV/AS for *Nix and Z/OS get your sales forces ready! Again, this is lame. I don’t understand why they’re bothering to change this – under the old rules, only systems that could get malware were
required to have AV. Under these new rules, every system under the sun has to have it – even those platforms that don’t necessarily have readily-implementable AV. Again, I’m not sure what the motivation here
was, but I’m not sure this is a good move.
Score one for the Wireless Experts
"Removed requirement to disable SSID broadcast since disabling SSID broadcast does not prevent a malicious user from determining the SSID”
Yee-haw! This is a poorly understood reality of the wireless networking world – reps to the DSS writers who got this right. Now if they’ll convince AirMagnet to stop reporting on it…
Copy Editor Finger Wagging:
*Requirement 4: “Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x”
802.11x is sort of the “Gen-X” of the 802.11 world. There’s no IEEE standard for it – perhaps the Council meant, “the IEEE for changes to 802.11”? More likely, the Council meant 802.1X – the IEEE standard for authentication and key management on Wired and Wireless networks.
Requirement 6: 6.6 is now mandatory. All public-facing web applications are subject to… installing
an application-layer firewall”
There again is the “application-layer firewall. The fact that they called it an “application layer firewall” the first time around caused so much confusion the first time around that they had to issue specific guidance on it. Since they’re
changing the document anyway, why not just change it to say “web application firewall” and get rid of the additional guidance? It’d make all our lives easier.