Credit-card security standard issued after much debate

End-to-end encryption and virtualization security on horizon for credit/debit card handlers

Current Job Listings

The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, today issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.

The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, last week issued revised security rules. The council also indicated that next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.

Adherence to PCI rules could play a key role in preventing big data thefts, like the 2005 TJX breach, security experts say

The PCI 1.2 data security standard (DSS) seeks to clarify several pieces of the earlier 12-part PCI 1.1 standard that had many confused. Among other things, Version 1.2 clarifies that all operating systems associated with card processing have to run antivirus software, while many had thought this was only about Microsoft Windows.

"That sounds like a sensible piece of advice," says Sushila Nair, product manger at BT, who says organizations often deploy antivirus on Windows but erroneously believe Unix and Macs and other operating systems are somehow more invulnerable. However, she notes accommodating the clarified PCI rule on antivirus in many places will be "expensive."

Chart of what's new with PCI standard

One of the biggest topics of debate at last month's PCI Council meeting was how to determine what "network segmentation" means since the standard is aimed at trying to devise technical methods to cordon off where credit cards are stored so that PCI compliance assessment can be focused on specific parts of a merchant's network involved with cardholder data.

"There was a lot of talk about network segmentation," says Sumedh Thakar, PCI solutions manager at vulnerability management and policy compliance product company Qualys. "A lot of merchants were trying to get answers. The guidelines now are to restrict access using firewalls."

The PCI 1.2 standard advises the use of "internal firewalls, routers with strong access control" and other network-restricting technologies to assure internal network segmentation for card-processing purposes.

Some IT managers say the PCI-based reviews that their organizations are now undergoing are already based on PCI 1.2 as the baseline. Such reviews are typically carried out by PCI Council-certified assessors if self-assessment procedures aren't applicable.

"It was in draft form so we decided to use that since there seemed to be no point in using 1.1 anymore," says one IT manager, who preferred not to be named. But he says his organization is finding it very difficult to isolate the network to protect specific servers and applications associated with cardholder data, plus monitor and log according to the PCI 1.2 guidelines.

"There's no way we can log all the stuff they want," he said, adding his organization has no choice but to keep plowing on with the assessors to make it through the PCI audit.

Vendors supporting new standard

The PCI update is also ushering in revised products to support it.

Qualys, for example, last week introduced a Web-application scanning service targeted at satisfying the new requirement that Part 6.6 of PCI 1.2 brings for conducting vulnerability tests of public-facing Web applications "at least annually or after any changes." An alternate technology allowed in PCI 1.2 in the 6.6 rule would be installing a Web application firewall.

One new rule expected to have some impact on merchants with wireless networks is not allowing new implementations of the Wireless Encryption Protocol, deemed to be too weak, after March 31, 2009, and that all WEP must be phased out by June 2010. The WPA standard is advocated in its place.

"WEP is going to be the biggest issue the merchants face out of this," predicts Bob Russo, general manager of the PCI Council.

Even as merchants and other organizations processing credit cards pore over the 73-page PCI 1.2 standard document to figure out the changes, they need to know that even more changes are slated for next year. The council is developing security guidelines for unattended payment terminals, including automated teller machines and other types of vending machines that process payment cards.

Next year there will be discussion about how security safeguards, such as encryption, should be used in ATMs for processing personal identification numbers, Russo says.

End-to-end encryption is likely to be a central focus as the council seeks input on how this might best be achieved in the payment-card environment through different technologies. If that is accomplished, it might result in a decidedly new PCI standard in the future for card-data protection, Russo says.

"Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally," Russo says. "But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. Maybe you wouldn’t have to do that. So we'll be looking at that next year."

Gartner analyst Avivah Litan says very large retailers are now looking at end-to-end encryption and would like to go this route.

"The council is years behind the curve," says Litan, who also criticizes the council for failing to address fundamental issues such as network segmentation and network scope early on and devising rules that tend to treat vastly different types of organizations in the same way.

The PCI rules have treated "an e-commerce retailer the same as an international store chain," says Litan.

Another area where more standards could emerge is in virtualization, where physical servers are being replaced with multiple virtual servers.

"How do you protect these virtual machines?" Russo asks. "We don't know just yet." But the council hopes to spend time trying to determine the best approaches to protect card data in the realm of the virtual-machine environment.

Sometimes today's security tools, such as scanners, aren't always adequate, vendors acknowledge. Qualys, for instance, says the scanner it has today can check out the basic IP address but can't dig into the virtual-machine applications, though it's working on new tools for that.

IBM, which last week introduced its SecureStore program for providing retailers with both physical-security protection and compliance with PCI, also says there's work to be done in virtualization security.

Virtualization's different way of running applications is causing "some blind spots," acknowledges Josh Corman, principle security strategist at IBM's ISS division. But that's why IBM last month launched its Phantom initiative to build a wide range of security tools specifically for virtualized networks.

Learn more about this topic

The PCI 1.2 standard from the PCI Security Standards Council

Hannaford discloses data breach

Details emerging on Hannaford data breach

New payment-card rules on tap

Credit card skimming: How thieves can steal your card info without you knowing it

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT