New Version of PCI Shows More Flexibility, While PABP Takes Hold

After a summer of discussion, the Payment Card Industry Security Standards Council on Wednesday officially released Version 1.2 of the PCI data-security standard, the sweeping set of rules for protecting Visa, MasterCard, American Express, Discover, and JCB cards and transactions. Wednesday also is the first day for a Visa Inc. mandate that new Visa-accepting merchants be PCI-compliant upon booking or be using secure payment-processing software applications. A spokesperson for the Wakefield, Mass.-based PCI Security Standards Council tells Digital Transactions News by e-mail that today's release contains no significant changes from the preliminary list of updates the Council released in August. Al Hannagan, vice president of compliance at Chicago-based Trustwave, one of the big card-security assessment firms, essentially endorsed that view. “In my kind of quick review, I didn't see anything that jumped out,” he tells Digital Transactions News. He added, however, that he had not had time this morning to analyze the full 73-page document. As many observers noted over the summer, probably the biggest change in Version 1.2 from Version 1.1 is the required phase-out of Wired Equivalent Privacy, or WEP, a common but obsolete 128-bit encryption technology for protecting data flowing over wireless networks (Digital Transactions News, Aug. 19). Requirement 4.1.1 bans new WEP implementations after next March 31, and current implementations must be discontinued by June 30, 2010. It is unknown how many card-accepting merchants will have to upgrade from WEP to something stronger such as the Wi-Fi Protected Access, or WPA, but it's clear that many will. “That is the one major thing that folks need to pay attention to,” says Hannagan. “We think the WEP provision within 1.2 is the one element that's going to affect everyone the most.” Other changes are mostly clarifications and in some cases show that, in getting feedback over the past few months, the Security Standards Council “has clearly heard the cry for more flexibility,” says Hannagan. For example, the new language has more leeway than Version 1.1 does in addressing software patches?coding that fixes identified security flaws. The old rules essentially gave merchants, processors, and other users of card-processing software a month to install a patch after it became available, according to Hannagan. Version 1.2 adds a risk-based component to that period, which means installation of patches for less serious flaws can wait longer than those for more urgent problems. The change recognizes that fixing software can be a more complicated task than simply downloading a patch from a vendor, especially for merchants with many locations or that use custom-developed programs, says Hannagan. “This language allows for some flexibility,” he says. Another change involves the rules for firewalls in Requirement 1. Reviews of firewall and router rule sets are now required only every six months, not every three as under the old standard. Hannagan sees that change as recognition by the Council of “the constraints of scheduling” rather than an easing of standards. One thing that hasn't changed is that the card networks, not the PCI Council, remain responsible for enforcing the Council-developed PCI rules. Under a set of rule changes announced late last year, Visa as of today says its merchant acquirers may book new Internet-only and small merchants?the so-called Level 3 and 4 merchants, respectively?only if they are compliant with PCI or are using software that meets Visa's so-called Payment Application Best Practices, or PABP. Level 3 merchants are those that submit 20,000 to 1 million Visa e-commerce transactions annually. Level 4 refers to the smallest merchants, those submitting up to 1 million Visa transactions annually regardless of channel, or in the case of Web-only merchants, fewer than 20,000 e-commerce transactions. A Visa spokesperson was not available for comment. On Oct. 15, Visa's PABP will become the foundation of the new, PCI Council-administered Payment Application Data Security Standard, or PA-DSS (Digital Transactions News, Nov. 8, 2007). Small merchants often have the oldest, least-secure software on their point-of-sale systems. Trustwave says in a September report that Level 4 merchants accounted for 90% of the 400-plus cardholder data compromises it has investigated in more than 20 countries. Card-present merchants accounted for 69% of the breaches. Food-service merchants were by far the biggest sector compromised, suffering 52% of the breaches. Next were retailers at 27%, with no other merchant type accounting for more than 4%. The culprit in 67% of the breaches was POS software. None of the breached systems was PABP or PA-DSS compliant, Trustwave says.