Zen 2.0

So a few days ago, 9/7/06 to be exact, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced the formation of an independent council, called PCI Security Standards Council, designed to manage the ongoing evolution of the Payment Card Industry (PCI) Data Security Standard.

As its first order of business, the PCI Security Standards Council released PCI DSS v1.1. The Payment Card Industry Data Security Standard (DSS) v 1.1 has replaced the DSS v. January 2005, and the PCI Security Standards Council will no longer recognize DSS v. 2005 after December 31, 2006.

Here are some of the interesting documents.

• PCI Data Security Standard v1.1
• PCI DSS Audit Procedures
• Summary of Changes

One change that everyone took notice was the language around data retention.

In v1.0, sub-requirement 10.7 said

An audit history usually covers a period of at least one year, with a minimum of 3 months available online.

In v1.1, it now says

Retain audit trail history for at least one year, with a minimum of three months online availability.

The change is significant. It now means everyone who processes, stores or transmits credit card information MUST retain audit trails for a minimum of a year. Whereas before in v1.0, it was not a requirement.

There are other changes worth noting.

Changes to requirement 1.2 and 1.3

v1.1 removed some of the specific protocols and is now using phrases like “necessary for the cardholder data environment.” The question is who determines what’s necessary for the business?

Addition of 2.4

This requirement basically put all hosting providers including ISPs, MSPs and MSSPs in the same categories as merchants. The hosting providers must now conform to PCI DSS.

In addition, the hosting providers must ensure that the hosting customers can only see data that belong to them.

Changes to 5 and 5.1

v1.1 both expanded and restricted the scope of systems that require anti-virus software. It expanded the scope by stating “all systems commonly affected by viruses” instead of the old v1.0 saying, “all email systems and desktops.”

It restricted the scope because it added a note saying that UNIX-based systems or mainframes are typically not ffected by viruses.

There’s also a new sub-requirement 5.1.1 that requires anti-virus software to also detect, remove and protect against spyware and adware.

Added clarification to 6

A note is added to requirement 6 saying that

Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations.

I am somehow seeing that many organizations will be using this as an out for not installing patches.

Auditor: “oh you don’t have patch X installed.”
IT Admin: “oh sorry, we haven’t tested it sufficiently to know if it will downgrade our security settings.”
Auditor: “but you are suppose to test this.”
IT Admin: “oh we know, but the PCI DSS doesn’t say when we have to do it”

Addition of 6.6

Sub-requirement 6.6 says you need to protect your web-facing applications by having someone do a code review of your application or install an appliation layer firewall infront of them.

I can just see a jump in sales for the Cyberguard, Symantec Enterprise Firewall and others.