PCI standard, take two

More on complying with the PCI standard Learn how to meet PCI and other regulatory requirements.

The initial release of the PCI standard in December 2004 was the first product of the PCI Security Standards Council, an industry organization created specifically to develop the PCI standard and assist those seeking compliance. Unfortunately, the first version of the standard was met with confusion and concern due to vague requirements and ambiguous reporting deadlines. Therefore, in September 2006, the industry released version 1.1, which implements several changes, some of which are substantial. Let's examine them and how they may affect business processes.

PCI standard 1.1
First, version 1.1 clarifies of some of the ambiguous wording in the requirements. For example, the new PCI standard now consistently uses "must" and "should" in their appropriate contexts throughout the document. The council also removed the word "periodically" and replaced it with specific timeframes such as "annually" and "quarterly."

It also sprinkled the document with text and notes designed to help users interpret the purpose of each requirement. More specifically:

• Section 6.6 introduces a new requirement to provide additional protection for Web applications. There are now two possible ways to satisfy this requirement: through the use of application code reviews or the implementation of a Web application firewall.
(Note: This requirement does not become effective until June 30, 2008.)
• The first version required antivirus software "on all systems commonly affected by viruses. Version 1.1 enhances this provision as the software now must be able to detect "other forms of malicious software, including spyware and adware," and clarifies its applicability by stating "systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes."

• Hosting providers have new responsibilities under PCI standard version 1.1. In addition to complying with all other aspects of the standard, they must take measures to ensure that clients are isolated from each other, that audit trails are unique for each merchant and that their business processes facilitate "timely forensic investigation" in the wake of a compromise.

• The original standard required merchants to create configuration standards for all system components. Version 1.1 adds to this requirement; configuration standards must be consistent with industry standards, such as those promulgated by the Center for Internet Security, the National Institute for Standards and Technology and the SANS Institute.

• With version 1.0, merchants attempting to achieve compliance were likely to use "compensating controls" or alternative methods if they had difficulty meeting one or more of the requirements. Version 1.1 now states that "only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance." Additionally, it defines a compensating control as meeting four requirements:

  • Meet the intent and rigor of the original requirement
  • Repel a compromise attempt with similar force
  • Be above and beyond other PCI standard requirements
  • Be commensurate with the additional risk

The PCI Security Standards Council has taken the standard to the next level, and overall the revisions to the PCI standard are a good thing for merchants. While there are a few additional requirements for merchants and service providers, the revision clarifies quite a few ambiguous requirements, making the path to compliance easier to navigate.

About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance and Governance Digest Seven GRC best practices for information security Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview PCI DSS: Audits and requirements Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights RBS WorldPay agrees to market VeriFone end-to-end encryption Companies lagging in PA DSS compliance Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Why financials should pay attention to NERC CIP Infosecurity pro pitfalls RBS WorldPay regains spot on Visa's PCI compliance list Tokenization and PCI compliance RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CISP-PCI  (SearchFinancialSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.