If you work with a business involved in any aspect of credit card processing, you're undoubtedly familiar with the Payment Card Industry Data Security Standard. The PCI standard replaced the various standards promoted

    Requires Free Membership to View

by Visa International, MasterCard Inc. and other industry players with a single, consolidated standard for all merchants and service providers involved in card processing.

More on complying
with the PCI standard

Learn how to meet PCI and other regulatory requirements. 

The initial release of the PCI standard in December 2004 was the first product of the PCI Security Standards Council, an industry organization created specifically to develop the PCI standard and assist those seeking compliance. Unfortunately, the first version of the standard was met with confusion and concern due to vague requirements and ambiguous reporting deadlines. Therefore, in September 2006, the industry released version 1.1, which implements several changes, some of which are substantial. Let's examine them and how they may affect business processes.

PCI standard 1.1 
First, version 1.1 clarifies of some of the ambiguous wording in the requirements. For example, the new PCI standard now consistently uses "must" and "should" in their appropriate contexts throughout the document. The council also removed the word "periodically" and replaced it with specific timeframes such as "annually" and "quarterly."

It also sprinkled the document with text and notes designed to help users interpret the purpose of each requirement. More specifically:

  • Section 6.6 introduces a new requirement to provide additional protection for Web applications. There are now two possible ways to satisfy this requirement: through the use of application code reviews or the implementation of a Web application firewall.
  • (Note: This requirement does not become effective until June 30, 2008.)

     

  • The first version required antivirus software "on all systems commonly affected by viruses. Version 1.1 enhances this provision as the software now must be able to detect "other forms of malicious software, including spyware and adware," and clarifies its applicability by stating "systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes."

     

  • Hosting providers have new responsibilities under PCI standard version 1.1. In addition to complying with all other aspects of the standard, they must take measures to ensure that clients are isolated from each other, that audit trails are unique for each merchant and that their business processes facilitate "timely forensic investigation" in the wake of a compromise.

     

  • The original standard required merchants to create configuration standards for all system components. Version 1.1 adds to this requirement; configuration standards must be consistent with industry standards, such as those promulgated by the Center for Internet Security, the National Institute for Standards and Technology and the SANS Institute.

     

  • With version 1.0, merchants attempting to achieve compliance were likely to use "compensating controls" or alternative methods if they had difficulty meeting one or more of the requirements. Version 1.1 now states that "only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance." Additionally, it defines a compensating control as meeting four requirements:
    • Meet the intent and rigor of the original requirement
    • Repel a compromise attempt with similar force
    • Be above and beyond other PCI standard requirements
    • Be commensurate with the additional risk

The PCI Security Standards Council has taken the standard to the next level, and overall the revisions to the PCI standard are a good thing for merchants. While there are a few additional requirements for merchants and service providers, the revision clarifies quite a few ambiguous requirements, making the path to compliance easier to navigate.

About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.