The
Payment Card Institute (PCI) Security Standards Council has
pre-released it's highly anticipated
Data Security Standards (DSS) version 1.2. The standard is due to be officially released in October of this year (2008) but the PCI wanted to give businesses a chance to examine the changes and begin re-architecting half the stuff they hurriedly put in place this year in order to meet the June 30 deadline for 1.1. Enough of my babbling, onto the good stuff:
- Relaxed firewall configuration review from three months to six.
- Language changes to include routers into the fold (not just firewalls).
- Clarified the requirement applies to wireless environments “attached to cardholder environment or transmitting cardholder data.”
- Got rid of WEP language... long live WEP! (just kidding of course)
- Finally got rid of the silly SSID hiding requirement... I got in some very intense arguements here about the futality of hiding the SSID... so that's a big ITYS to my colleagues (except you Ryan).
- Clarified the local user accounts databases need to be encrypted but the DB in my secure data center sitting behind eight layers of security devices need not go through the hassle... not that they shouldn't be encrypted... maybe I won't share that new requirement with management ;)
- Wireless networks must follow industry best standards (whatever that means... more ambiguity!) for encryption, AAA, and transmission.
- New WEP projects must be implemented by the end of March 2009 (hear that PM's... better hurry) and all WEP must die by June 30, 2010
- AV is now required to all operating systems and must be updated and protect against known attacks
- Thankfully loosened patching requirements to allow a risk-based prioritization of patches.
- 6.6 is mandatory! All Internet facing websites have to either be behind a WAF or have vulnerability assessment tools pointed their direction or a rubber-glove code review
- You have to test and verify that passwords must be unreadable both at rest and in motion.
- They did something surrounding the 2FA requirement for access but I guess we'll have to wait to get the actual requirement (bummer)
- Passphrases join passwords as acceptable forms of authentication (another ITYS)
- Must visit all off-site storage facilities at least once a year. (Ugh!)
- Added some flexibility surrounding cameras to allow other access control types.
- Finally clarified what "secure media" meant. It applies to electronic AND paper media and how to destroy it.
- Logs for external devices must send logs to internal logging servers (well DUH!)
- Relaxed audit trail requirements to three months and that they can be archived but quickly restored.
- More guidance surrounding wireless analyzers and WIDS/WIPS, ASVs must be used in quarterly external scans and internal and external pen tests but you don't have to use a QSA or ASV for those!
- This one I don't get: 'Expanded list of examples of critical employee-facing technologies to include “remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)”' (Big WTF?!?!?!)
- Security policy must be reviewed by all employees annually.
- Cleared up language regarding service provider account access and hygiene.
- Generally cleaned up language for consistency and clarity (we'll see about that!)
All-in-all I am glad to see some of the clarifications and new requirements but there is still enough ambiguity and confusing language in the "clarifications" to keep security professionals busy and QSA's well employed over the next few years.
The Payment Card Institute (PCI) Security Standards Council has pre-released it's highly anticipated Data Security Standards (DSS) version 1.2. The standard is due to be officially released in October of this year (2008) but the PCI wanted to give businesses a chance to examine the changes and begin re-architecting half the stuff they hurriedly put in place this year in order to meet the June 30 deadline for 1.1. Enough of my babbling, onto the good stuff:
No comments:
Post a Comment