The Coming PCI Update: Mostly Tweaks, but WEP Gets Whacked

The PCI Security Standards Council on Monday unveiled a preview of its soon-to-be-released Version 1.2 of the Payment Card Industry data-security standard, an update the council's boss says adds no major rules. The update also will clarify existing requirements in Version 1.1, eliminate redundancies, and in general try to bring up to date the comprehensive but controversial set of rules for protecting cardholder data, according to Robert Russo, general manager of the Wakefield, Mass.-based PCI Security Standards Council. Version 1.2 takes effect Oct. 1, and between now and then the PCI Council could make changes in the proposed update. But Russo says the new version won't impose undue new burdens on merchants and other entities that handle payment card data. “To allay any fears, we've told most people they [Version 1.2's changes] are clarifications; there are no specific new requirements,” Russo tells Digital Transactions News. Version 1.1 took effect in 2006 and includes 12 major requirements that address everything from data storage and encryption to physical access to data to periodic testing of security systems. The pending update is the result of a council policy to revise the standards every 24 months. The major general-purpose card networks created the council two years ago to administer and update the PCI rules, though the networks themselves enforce them. As an example of a clarification, Russo says Version 1.2 should provide better guidance about so-called scoping, the process of determining which pieces of a merchant's computer hardware, software, and networks touch payment card data and thus need to be PCI-compliant. That would seem to at least partially address complaints that PCI compliance is not only expensive, but also confusing. “There are some more directions in there as to what's in scope, what's not in scope,” says Russo. “If you can cut down on the scope, it cuts down on the complexity, it cuts down on the cost and the time required to do your assessment.” The update will set in place a phase-out of Wired Equivalent Privacy (WEP), a technology introduced in 1999 to protect data flowing over wireless networks. New WEP implementations will not be allowed after March 31, and current implementations must discontinue use of WEP after June 30, 2010. According to Russo, a number of stronger technologies to protect wireless networks are now out, and despite technological reinforcements to support WEP, the core technology is outdated. “It's getting to the point where you can't augment it any more,” he says. Russo says the change is not a specific reaction to the data breaches at TJX Cos. and other retailers, breaches federal authorities say happened when hackers went “war-driving”?driving around commercial areas with laptops to find vulnerable wireless networks that might yield payment card numbers (Digital Transactions News, Aug. 6). The TJX breach involved vulnerabilities in a wireless network, Russo says, though he says it's not clear yet whether WEP itself was at fault. Nonetheless, “Over the years it's just been determined that WEP is not as secure as originally thought,” he says. “These legacy systems need to be updated in some way, shape, or form. When WEP initially came out, it worked beautifully; everybody and their grandmother was using it.” Merchants deemed by PCI assessors to be compliant with Version 1.1 will not be out of compliance come Oct. 1, according to Russo. PCI assessors, however, will use Version 1.2 as the basis of each merchant's next assessment. The revisions will be a major topic at the council's annual meetings with PCI stakeholders Sept. 23-25 in Orlando, Fla., and Oct. 22-23 in Brussels, Belgium. A summary of Version 1.2 can be downloaded from www.pcisecuritystandards.org/security_standards/supporting_documents.shtml.