PCI 1.2 Changes Are Afoot

In a column I wrote for eWEEK's print edition (PDF) a couple months ago (Vol. 21, July 7 cover date, page 51) and in one of Ziff Davis Enterprise's Virtual Trade Shows, I speculated on what changes affecting wireless networks would be made in the next iteration of the Payment Card Industry standard. Now, I can stop speculating because the PCI Security Standards Council today, Aug. 18, released the changes we can expect to see implemented in Version 1.2, (PDF) which should be formally released by October. In a nutshell (for those choosing not to RTFA), I was guessing that the new standard would: 1) stop recommending WEP (Wired Equivalent Privacy) in favor of WPA (Wi-Fi Protected Access)/WPA2, but not ban the use of WEP; 2) stop requiring administrators to hide the SSID (service set identifier) broadcast; and 3) strengthen their requirements regarding the use of wireless analysis tools. Let's just say, I like being right. However, the standard did set a somewhat unaggressive timeline for the abolition of WEP, a step I did not anticipate. Organizations using WEP and beholden to PCI have just under two years from right now to implement a modern wireless security standard (only nine-and-a-half years after the protocol was first broken!) Here are some excerpts of the changes that pertain to wireless networks (source here in a PDF): Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ? Clarified that the requirement applies to wireless environments "attached to cardholder environment or transmitting cardholder data" ? Removed references to WEP in order to emphasize using strong encryption technologies for wireless networks, for both authentication and encryption ? Removed requirement to disable SSID broadcast since disabling SSID broadcast does not prevent a malicious user from determining the SSID, as the SSID is broadcast over numerous other messaging/communication channels. Requirement 4: Encrypt transmission of cardholder data across open, public networks ? Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission ? New implementations of WEP are not allowed after March 31, 2009 ? Current implementations must discontinue use of WEP after June 30, 2010. Requirement 10: Track and monitor all access to network resources and cardholder data ? Clarified that logs for external facing technologies (for example, for wireless, firewalls, DNS and mail) must be copied to an internal log server ? Provided flexibility and clarified that three months of audit trail history must be "immediately available for analysis" or quickly accessible (online, archived or restorable from backup). Requirement 11: Regularly test security systems and processes ? Provided more guidance on use of wireless analyzers and/or wireless intrusion detection or prevention systems.

In a column I wrote for eWEEK's print edition (PDF) a couple months ago (Vol. 21, July 7 cover date, page 51) and in one of Ziff Davis Enterprise's Virtual Trade Shows, I speculated on what changes affecting wireless networks would be made in the next iteration of the Payment Card Industry standard. Now, I can stop speculating because the PCI Security Standards Council today, Aug. 18, released the changes we can expect to see implemented in Version 1.2, (PDF) which should be formally released by October.

In a nutshell (for those choosing not to RTFA), I was guessing that the new standard would:

1) stop recommending WEP (Wired Equivalent Privacy) in favor of WPA (Wi-Fi Protected Access)/WPA2, but not ban the use of WEP;

2) stop requiring administrators to hide the SSID (service set identifier) broadcast; and

3) strengthen their requirements regarding the use of wireless analysis tools.

Let's just say, I like being right. However, the standard did set a somewhat unaggressive timeline for the abolition of WEP, a step I did not anticipate. Organizations using WEP and beholden to PCI have just under two years from right now to implement a modern wireless security standard (only nine-and-a-half years after the protocol was first broken!)

Here are some excerpts of the changes that pertain to wireless networks (source here in a PDF):

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

? Clarified that the requirement applies to wireless environments "attached to cardholder environment or transmitting cardholder data"

? Removed references to WEP in order to emphasize using strong encryption technologies for wireless networks, for both authentication and encryption

? Removed requirement to disable SSID broadcast since disabling SSID broadcast does not prevent a malicious user from determining the SSID, as the SSID is broadcast over numerous other messaging/communication channels.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

? Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission

? New implementations of WEP are not allowed after March 31, 2009

? Current implementations must discontinue use of WEP after June 30, 2010.

Requirement 10: Track and monitor all access to network resources and cardholder data

? Clarified that logs for external facing technologies (for example, for wireless, firewalls, DNS and mail) must be copied to an internal log server

? Provided flexibility and clarified that three months of audit trail history must be "immediately available for analysis" or quickly accessible (online, archived or restorable from backup).

Requirement 11: Regularly test security systems and processes

? Provided more guidance on use of wireless analyzers and/or wireless intrusion detection or prevention systems.