November 19, 2008

PCI DSS 1.2 – What’s New?

By Skylor Phillips

The PCI Data Security Standard (DSS) has just undergone a refresh. The PCI Security
Standards Council released version 1.2 of the DSS on October 1, 2008. The new version
must be used by all organizations who begin a new PCI assessment after October 1st.
If your organization is currently undergoing an assessment you have until December
31, 2008 to complete it using the previous 1.1 version of the standard.
So what changed
between 1.1 and 1.2? The following list highlights the major changes in the new standard.

Wireless changes:

  • WEP can no longer be used as the deployed wireless encryption algorithm (Req 4.1.1)
    • All existing deployments using WEP must be updated by June 30, 2010
  • All wireless deployments must use industry best practices and strong encryption (Req
    4.1.1)
    • 802.11i using either TKIP or CCMP
  • Wireless analyzers must be run at least once a quarter (Req 11.1)
    • Regardless of your organization officially deploying a wireless solution

Malicious software detection changes:

  • Anti-virus solution must provide coverage against all types of malicious software
    (Req 5.1.1)
    • Now includes malware and spyware which many enterprise AV solutions do not currently
      detect
  • Anti-virus solution must be implemented on all operating systems (Req 5.1)
    • If an AV solution exists for an OS, you must be running it

Web application changes:

  • All public-facing web applications must undergo a code review or have an application
    firewall deployed protecting them (Req 6.6)
    • Recommended requirement until June 30, 2008, after that will become mandatory requirement

Public system scanning changes:

  • Only an Approved Scanning Vendor (ASV) can be used for quarterly external vulnerability
    scans (Req 11.2)
  •  Penetration
    test must be performed both internally and externally (Req 11.3) >

Encryption changes:

  • Testing must now be done to verify passwords are unreadable in both storage and transmission
    (Req 8.4)
  • Disk encryption must not use local user account database to manage access controls
    (Req 3.4.1)

Media handling changes:

  • Securing media applies to both electronic and paper media containing cardholder data
    (Req 9.6)

For more information about PCI DSS version 1.2 visit the PCI
Security Standards Council.

Posted in PCI