« How to Secure your DNS Server
Latest post
Installing Splunk Part 1 of 5 »

PCI DSS 1.2 – What’s New?

Wednesday, November 19, 2008 12:28:32 AM UTC
by Brennen Reynolds

The PCI Data Security Standard (DSS) has just undergone a refresh. The PCI Security Standards Council released version 1.2 of the DSS on October 1, 2008. The new version must be used by all organizations who begin a new PCI assessment after October 1st. If your organization is currently undergoing an assessment you have until December 31, 2008 to complete it using the previous 1.1 version of the standard.

 So what changed between 1.1 and 1.2? The following list highlights the major changes in the new standard.

 

Wireless changes:

  • WEP can no longer be used as the deployed wireless encryption algorithm (Req 4.1.1)
    • All existing deployments using WEP must be updated by June 30, 2010
  • All wireless deployments must use industry best practices and strong encryption (Req 4.1.1)
    • 802.11i using either TKIP or CCMP
  • Wireless analyzers must be run at least once a quarter (Req 11.1)
    • Regardless of your organization officially deploying a wireless solution

 

Malicious software detection changes:

  • Anti-virus solution must provide coverage against all types of malicious software (Req 5.1.1)
    • Now includes malware and spyware which many enterprise AV solutions do not currently detect
  • Anti-virus solution must be implemented on all operating systems (Req 5.1)
    • If an AV solution exists for an OS, you must be running it

 

Web application changes:

  • All public-facing web applications must undergo a code review or have an application firewall deployed protecting them (Req 6.6)
    • Recommended requirement until June 30, 2008, after that will become mandatory requirement

 

Public system scanning changes:

  • Only an Approved Scanning Vendor (ASV) can be used for quarterly external vulnerability scans (Req 11.2)
  • Penetration test must be performed both internally and externally (Req 11.3)

 

Encryption changes:

  • Testing must now be done to verify passwords are unreadable in both storage and transmission (Req 8.4)
  • Disk encryption must not use local user account database to manage access controls (Req 3.4.1)

 

Media handling changes:

  • Securing media applies to both electronic and paper media containing cardholder data (Req 9.6)

 

For more information about PCI DSS version 1.2 visit the PCI Security Standards Council.

Posted in  |Comments     

Friday, December 05, 2008 1:03:16 AM UTC
With the combination of PCI DSS 1.2 coming out, and the inclusion of VMWare joining the council, this is a huge win for both companies currently struggling with PCI DSS compliance. I am hoping to see the standard lose some of the gray areas which are causing many IT departments confusion. It is nice that data loss prevention is on the minds of more security professionals.
Travis Smith
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):