The credit and debit card industry has been ordered to beef up its wireless network and anti-virus defences and to prepare for new rules on end-to-end encryption and virtualisation.
The Payment Card Industry Security Standards Council, the organisation that sets technical requirements for processing credit- and debit-cards, yesterday (1 October) issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualisation.
The PCI 1.2 data security standard (DSS) seeks to clarify several parts of the earlier 12-part PCI 1.1 standard that had many organisations confused.
For instance, it clarifies that all operating systems associated with card processing have to run antivirus software, while many had thought this was only about Microsoft Windows.
"That sounds like a sensible piece of advice," says Sushila Nair, product manger at BT, who says organisations often deploy anti-virus on Windows but erroneously believe Unix and Macs and other operating systems are somehow less vulnerable. However, she notes accommodating the clarified PCI rule on anti-virus in many places will be "expensive".
One of the biggest topics of debate at the PCI meeting in Orlando last week, which attracted more than 600 delegates from the retailing sector and the high-tech industry, was to determine what "network segmentation" means.
This is because the PCI standard is aimed at trying to devise technical methods to cordon off where credit cards are stored so that PCI compliance assessment can be focused on specific parts of a merchant's network involved with cardholder data, not the entire enterprise.
"There was a lot of talk about network segmentation," says Sumedh Thakar, PCI solutions manager at Qualys, who attended the meeting. "A lot of merchants were trying to get answers. The guidelines now are to restrict access using firewalls."
The PCI 1.2 standard focuses a lot of its first pages on network segmentation. The document states that network segmentation today "is not a requirement," but that "without network segmentation [sometimes called a 'flat network'] the entire network is in the scope of the PCI DSS assessment."
Because the goal of compliance is to gauge what's in the scope of the PCI DSS, the PCI 1.2 standard advises the use of "internal firewalls, routers with strong access control" and other network-restricting technologies to assure internal network segmentation for card-processing purposes.
Bob Russo, general manager at the Council, said he expects the group to issue recommendations next year in the form of a white paper and possibly update or refine the guidance on it.
A new rule will hit some retailers with wireless networks. From 31 March 2009 new implementations of the Wired Equivalent Privacy (WEP), will not be allowed because the standard is deemed to be too weak. All WEP networks must be phased out by June 2010. The Wi-Fi Protected Access standard is advocated in its place.
"WEP is going to be the biggest issue the merchants face out of this," Russo predicts.
Next year the PCI Council will develop security guidelines for unattended payment terminals, including automated teller machines and other types of vending machines processing payment cards.
"We haven't covered ATM machines until now," Russo says, but next year there will be discussion about how security safeguards, such as encryption, should be used in ATMs for processing personal identification numbers.
"Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally," Russo says. "But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging."
Another area where more standards could emerge is in virtualisation. "How do you protect these virtual machines?" Russo asks. "We don't know just yet." But the Council hopes to spend time trying to determine the best approaches to protect card data in the realm of the VM environment.