counter free hit unique web
Home Company Solutions Markets Partners News and Events Client Login Knowledge Center Contact

Knowledge Center

Security Bulletins
The Perimeter EDGE

 

NewsLetter Sign Up button

Recent Changes to the PCI Data Security Standards (PCI DSS)

Compliance Corner is a monthly column focused on addressing security trends and market changes that affect your regulatory compliance initiatives.  The topics discussed and questions answered in this column are intended to help guide the management of your compliance program and security risk management practices. If you would like to submit a compliance related question for consideration in next month’s newsletter, please email your question to marketing@perimeterusa.com .


By now most people are familiar with the PCI DSS standards that regulate all merchants and service providers handling cardholder information.  However, just recently the PCI DSS standard was updated to account for new trends in information security.  The revisions added new features and requirements to the program which all card holders must to comply with in order to maintain PCI compliance.  
 
What are the PCI Data Security Standards?
The PCI DSS is a comprehensive security standard that outlines requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This standard is intended to guide organizations towards proactively protecting customer account data.  The PCI DSS is governed by the PCI Security Standards Council whose goal is to drive education and awareness of the PCI Data Security Standard.  The Council was created by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.  The Council’s objective is to provide a transparent forum in which all stakeholders can provide input into the ongoing development and enhancement of the PCI Data Security Standard.

What are the new Changes and Requirements for PCI?
The PCI Council issued several changes in early 2008, most of the changes are minor wording and structural changes to the documented standard.  However, three significant changes were made to the standard based on feedback and industry trends.

The first change was an overhaul of the PCI Self Assessment Questionnaire.  In the past, all merchants, no matter their size, were obliged to complete the questionnaire, which contained more than 230 questions, many irrelevant to smaller vendors.  This resulted in several complaints that small merchants were having a difficult time achieving compliance with the standards.  The new Self Assessment Questionnaire, released in February 2008, now consists of four versions of which businesses can request a particular type based on their technical configuration for processing credit card payments. Now smaller merchants have a streamlined questionnaire customized to how they store, process, or transmit cardholder data.

The second significant change to the standards was the requirement for merchants to conduct ongoing penetration testing of their environment.  Requirement 11.3 addresses penetration testing, which includes network and application layer testing, as well as controls and processes around the networks and applications.  The standard provides guidance on who can perform penetration testing, the recommended scope of testing, the frequency of the tests, as well as testing methodology and testing techniques.  This requirement is in addition to the existing requirement that calls for merchants to conduct quarterly external vulnerability assessments.

The last major change was a recommendation for merchants to perform ongoing application code reviews or install application firewalls, requirement 6.6. This change to the standard was developed due to the increased trend in application specific vulnerabilities, which was a feature topic of the January edition of compliance corner.  Unlike the changes noted about, requirement 6.6 was issued as a recommendation only and officially becomes a requirement after June 30, 2008.  Merchants have two options which are intended to address common threats to cardholder data and ensure that input to web applications from un-trusted environments is fully inspected.

The first option in performing an application code review for meeting Requirement 6.6 is now subdivided into four alternatives which include:
  • Manual review of application source code
  • Proper use of automated source code analyzer (scanning) tools
  • Manual web application security vulnerability assessments
  • Proper use of automated web application security vulnerability assessment (scanning) tools.
The second alternative option for Requirement 6.6 is a Web Application Firewall (WAF) which is a security policy enforcement point positioned between a web application and a client end point. The Council provides recommendations for selecting and implementing the application firewall as well as additional sources of information on Web application security.

Conclusion
The recent changes to the PCI DSS standards overall are a positive change for the merchants. The new questionnaires are more appropriately designed to a program fits the size of the organization based on how the handle card data.  In addition, the new standards fill some significant gaps missing from the last version of the PCI DSS standard. 

Perimeter eSecurity is a certified ASV scanning vendor and has developed specific service lines that will help you achieve your PCI certification.  Perimeter offers web
 


© 2008 Perimeter eSecurity™ All Rights Reserved. | Privacy Policy