PCI 1.2 arrives – and the changes seem dealable

Considering two years of feedback have gone into revising the Payment Card Industry Data Security Standard (PCI DSS) for its next coming-out party, the most prescriptive IT security mandate in all the land actually hasn't changed that much.

And that's good news. It proves that a set of guidelines can be industry driven, without any reliance on the government, and still motivate companies to take action.

That's, of course, not to say there hasn't been lots of kicking and screaming along the way, but considering Visa's latest compliance figures, merchants are accepting the reality that is PCI DSS.

Version 1.2 of the standard gets released today to the hundreds of participating members of the PCI Security Standards Council. On Oct. 1, the day 1.2 officially takes effect, everyone can see it.

With that said, there are some very significant additions to the new version.

Chief among them is the removal of references to the WEP (Wireless Equivalent Privacy) encryption standard, an outdated algorithm that, depending on who you ask, is filled with more holes than Swiss cheese. By 2010, organizations encrypting wireless communication must have fully transitioned to the WPA (Wi-Fi Protected Access) model, a grown-up version of WEP.

Other changes include making requirement 6.6, which says organizations need to either perform application code review or implement a web application firewall, mandatory - no longer just a best practice.

There also are some clarifications and adjustments, such as using consistent terminology, like "strong cryptography," in addition to defining some deadlines not in terms of time but based on risk to that individual merchant.

Absent from the latest version is a requirement to encrypt internal communication from point-of-sale device to credit card processor, something I thought might have found its way into the updated version after the Hannaford breach.

I met with Bob Russo, the PCI council's general manager on Thursday, who told me the change could someday become part of the standard. But if retailers comply with existing sections of the standard, they should be able to avoid a rogue person inserting a sniffer on their private network. Plus, the council - which administers the standard - tries to avoid pushing out new, potentially time consuming and costly requirements on merchants, whenever possible.

"My objective when I put out a new standard is not to put people out of compliance," Russo says.

He also told me that he has yet to know of a single retailer who has been PCI compliant and simultaneously breached. When I asked him about Hannaford, which supposedly had just successfully completed a PCI audit prior to its major data compromise, he told me the supermarket chain's former CIO could never prove it to him.

Regardless, I have to believe that even if retailers are close to PCI compliance, they're in pretty good shape. The cybercriminals of the world are looking for the lowest common denominator, the type of business whose defenses aren't going to make it difficult on them.

Believe me, there are still plenty of TJXs and Hannafords to go around.

So keep it up, merchants! I know PCI can be costly and riddled with some complexities but isn't it better to be told what to do by your peers rather than the federal government?

Oh, and be happy version 1.2, not 2.0, is showing up at your doorstep in two weeks. Because that would mean a lot more work would be in order.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.