If you work with a business involved in any aspect of credit card processing, you're undoubtedly familiar with...
the Payment Card Industry Data Security Standard. The PCI standard replaced the various standards promoted by Visa International, MasterCard Inc. and other industry players with a single, consolidated standard for all merchants and service providers involved in card processing.
The initial release of the PCI standard in December 2004 was the first product of the PCI Security Standards Council, an industry organization created specifically to develop the PCI standard and assist those seeking compliance. Unfortunately, the first version of the standard was met with confusion and concern due to vague requirements and ambiguous reporting deadlines. Therefore, in September 2006, the industry released version 1.1, which implements several changes, some of which are substantial. Let's examine them and how they may affect business processes.
PCI standard 1.1
First, version 1.1 clarifies of some of the ambiguous wording in the requirements. For example, the new PCI standard now consistently uses "must" and "should" in their appropriate contexts throughout the document. The council also removed the word "periodically" and replaced it with specific timeframes such as "annually" and "quarterly."
It also sprinkled the document with text and notes designed to help users interpret the purpose of each requirement. More specifically:
- Section 6.6 introduces a new requirement to provide additional protection for Web applications. There are now two possible ways to satisfy this requirement: through the use of application code reviews or the implementation of a Web application firewall.
(Note: This requirement does not become effective until June 30, 2008.)
The first version required antivirus software "on all systems commonly affected by viruses. Version 1.1 enhances this provision as the software now must be able to detect "other forms of malicious software, including spyware and adware," and clarifies its applicability by stating "systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes."
Hosting providers have new responsibilities under PCI standard version 1.1. In addition to complying with all other aspects of the standard, they must take measures to ensure that clients are isolated from each other, that audit trails are unique for each merchant and that their business processes facilitate "timely forensic investigation" in the wake of a compromise.
The original standard required merchants to create configuration standards for all system components. Version 1.1 adds to this requirement; configuration standards must be consistent with industry standards, such as those promulgated by the Center for Internet Security, the National Institute for Standards and Technology and the SANS Institute.
- With version 1.0, merchants attempting to achieve compliance were likely to use "compensating controls" or alternative methods if they had difficulty meeting one or more of the requirements. Version 1.1 now states that "only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance." Additionally, it defines a compensating control as meeting four requirements:
- Meet the intent and rigor of the original requirement
- Repel a compromise attempt with similar force
- Be above and beyond other PCI standard requirements
- Be commensurate with the additional risk
The PCI Security Standards Council has taken the standard to the next level, and overall the revisions to the PCI standard are a good thing for merchants. While there are a few additional requirements for merchants and service providers, the revision clarifies quite a few ambiguous requirements, making the path to compliance easier to navigate.
About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.