The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, has issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.
The PCI 1.2 data security standard (DSS) — the subject of debate as it was edging toward finalization at the Council meeting in Orlando earlier this month, where about 625 attendees from the retailing sector and the high-tech industry showed up to discuss it — seeks to clarify several parts of the earlier 12-part PCI 1.1 standard that had many confused.
For instance, it clarifies that all operating systems associated with card processing have to run antivirus software, while many had thought this was only about Microsoft Windows.
“That sounds like a sensible piece of advice,” says Sushila Nair, product manger at BT, who says organizations often deploy antivirus on Windows but erroneously believe Unix and Macs and other operating systems are somehow more invulnerable. However, she notes accommodating the clarified PCI rule on antivirus in many places will be “expensive.”
One of the biggest topics of debate at the PCI meeting is how to determine what “network segmentation” means because the PCI standard is aimed at trying to devise technical methods to cordon off where credit cards are stored so that PCI compliance assessment can be focused on specific parts of a merchant’s network involved with cardholder data, not the entire enterprise.
“There was a lot of talk about network segmentation,” says Sumedh Thakar, PCI solutions manager at Qualys, who attended the council meeting in Orlando. “A lot of merchants were trying to get answers. The guidelines now are to restrict access using firewalls.”
The PCI 1.2 standard focuses a lot of its first pages on network segmentation. The document states that network segmentation today “is not a requirement,” but that “without network segmentation [sometimes called a ‘flat network’] the entire network is in the scope of the PCI DSS assessment.”
Because the goal of compliance is to gauge what’s in the scope of the PCI DSS, the PCI 1.2 standard advises the use of “internal firewalls, routers with strong access control” and other network-restricting technologies to assure internal network segmentation for card-processing purposes.
Bob Russo, general manager at the Council, said he expects the group to issue recommendations next year in the form of a white paper and possibly update or refine the guidance on it. Qualys on Wednesday introduced a Web-application scanning service targeted at satisfying the new requirement that part 6.6 of PCI 1.2 brings for conducting vulnerability tests of Web-facing applications “at least annually or after any changes.” An alternate technology allowed in PCI 1.2 in the 6.6 rule would be installing a Web application firewall.
One new rule expected to have some impact on merchants with wireless networks is not allowing after March 31 of next year new implementations of the Wired Equivalent Privacy (WEP), deemed to be too weak, , and that all WEP must be phased out by June 2010. The Wi-Fi Protected Access standard is advocated in its place.
“WEP is going to be the biggest issue the merchants face out of this,” Russo predicts.
Even as merchants and other organizations processing credit cards pore over the 73-page PCI 1.2 standard document to figure out the changes so they can make adjustments to ensure PCI compliance for their next annual review required by their merchant banks, they need to know that other changes are in the wind for next year.
PCI in 2009
2009 will be a year the Council looks at developing security guidelines for unattended payment terminals, including automated teller machines and other types of vending machines processing payment cards.
“We haven’t covered ATM machines until now,” Russo says, but next year there will be discussion about how security safeguards, such as encryption, should be used in ATMs for processing personal identification numbers.
In fact, the topic of end-to-end encryption is likely to be a central focus as the Council seeks input on how this might best be achieved in the payment-card environment through different technologies. If that is accomplished, it might result in a decidedly new PCI standard in the future for card-data protection, Russo says.
“Today we say if you’re going outside the network, you need to be encrypted, but it doesn’t need to be encrypted internally,” Russo says. “But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. Maybe you wouldn’t have to do that. So we’ll be looking at that next year.”
Another area where more standards could emerge is in virtualization, where physical servers are being replaced with multiple virtual servers with guest applications running as virtual machines on a single physical machine. “How do you protect these virtual machines?” Russo asks. “We don’t know just yet.” But the Council hopes to spend time trying to determine the best approaches to protect card data in the realm of the VM environment.
Sometimes today’s security tools, such as scanners, aren’t always adequate, vendors acknowledge. Qualys, for instance, says the scanner it has today can eye the basic IP address but can’t dig into the virtual-machine applications, though it’s working on new tools for that.
IBM, which recently introduced its SecureStore program for providing retailers with both physical-security protection and compliance with PCI, also says there’s work to be done in virtualization security.
Virtualization’s different way of running applications is causing “some blind spots,” says Josh Corman, principal security strategist at IBM’s ISS division. But that’s why IBM last month launched its so-called Phantom initiative to build a wide range of security tools specifically for virtualized networks.
