Global
| SecureWorks - On the Radar Newsletter - October 2008 | |
|---|---|
 | |
PCI DSS Version 1.2 Released
Key Revisions and Updates
On October 1, the Payment Card Industry Security Standards Council (PCI SSC) published version 1.2 of the PCI Data Security Standard (PCI DSS). With the new version, the Security Standards Council introduced several changes to the PCI DSS based on two years of feedback from the PCI community. Consisting of clarifications and updates to the existing 12 PCI requirements, these changes will have a significant impact on all levels of merchants and service providers.
Here are the major changes and their impact:
Absent from Version 1.2: Specific guidance on network segmentation
Network segmentation is the key to reducing the cost of PCI compliance over the long-term, although it can be expensive initially. Properly done, network segmentation keeps cardholder data isolated, limiting the scope of PCI in a merchant or service provider’s environment. Without sound network segmentation, the scope can encompass all systems in the network – resulting in much higher compliance costs.Given the impact of network segmentation, merchants and service providers need specific guidance on appropriate (and compliant) ways to isolate the cardholder data environment. But consistent with their handling of the PCI DSS to date, the SSC chose to not provide in-depth requirements for network segmentation in Version 1.2, instead relying on organizations to develop the best solution for their environment. With the diversity of companies covered by PCI, there are countless different ways network segmentation could be done - meaning that specific guidance is best provided on a case by case basis. The PCI SCC has left this to the Qualified Security Assessors (QSAs) who are responsible for interpreting the PCI DSS and what it requires of individual merchants and service providers.
Requirement 5: Use and regularly update anti-virus software or programs
To address ambiguity concerning the term "anti-virus", the Council provided clarification by expanding their definition of "anti-virus" to include protection against all known types of malicious software – not just viruses (5.1). This gives companies more options for meeting the intent of Requirement 5 by using anti-malware technologies beyond traditional anti-virus software (i.e. host IPS, anti-rootkit software, etc.). This added flexibility will be beneficial for most merchants and service providers, although it could require deployment of anti-malware technologies on systems not covered by traditional anti-virus.Requirement 6: Develop and maintain secure systems and applications
In June of this year, Requirement 6.6 (PDF) went into effect. Calling for merchants and service providers to secure their applications by either code review (Option 1) or the use of a web application firewall (Option 2), this change has already had a significant impact. With the application layer’s emergence as a prime attack vector, many larger organizations have already implemented an application security strategy that fulfills Requirement 6.6 to some extent. Most of these companies were already spending more, or planning to spend more, on application security in the near future. For smaller organizations who have not taken appropriate steps to secure their applications, complying with Requirement 6.6 will require additional resources in 2009.With the release of the PCI DSS v1.2, the SSC also outlined their Software Development Lifecycle (SDLC) expectations for testing security patches, software and configuration changes prior to deployment in the cardholder data environment. As part of testing, merchants and service providers should check for proper input validation, error handling, secure storage, secure communications and role-based access control. As with other aspects of Requirement 6, this guidance is aligned closely with the OWASP Top Ten web application vulnerabilities.
The SSC has also changed its requirement for patching systems to allow for companies to take a risk-based approach. This provides merchants and service providers with more flexibility to prioritize critical security patches where it makes sense in terms of risk to cardholder data. For example, critical security patches should be tested and deployed within 1 month while less important patches can be addressed within 3 months. This flexibility should make it easier for organizations to incorporate the SDLC patch testing components outlined by the SSC.
Requirement 10: Track and monitor all access to network resources and cardholder data
In version 1.1 of the PCI DSS, merchants and service providers were required to retain audit logs for at least three months and have those logs available "online" for review. The PCI DSS v1.2 amends this, replacing "online" with "immediately available for analysis," and allowing for other retention methods as long as the audit logs are quickly and easily accessible for forensic investigation.For companies that already met the original requirement for online audit log availability, this change should have no impact. For merchants or service providers who were retaining and archiving logs but had not yet deployed a system for making the logs available online, depending on how easily they can access their logs they may be compliant now and can avoid that cost. If no work has been done to retain audit logs, this change simply gives more options for implementing a compliant log retention system.
Requirement 11: Regularly test systems and processes
In the PCI DSS v1.2, Requirement 11.3 is clarified to explicitly mandate internal AND external penetration testing of networks AND applications. Whether performing penetration testing in-house or relying on a third-party consultant, merchants and service providers should verify that their penetration tests address these requirements. If previous penetration tests did not cover these requirements, organizations should expect their penetration testing costs to rise. Merchants and service providers should also verify that there is sufficient manual testing being performed in addition to automated methods in order for penetration testing to be effective.Additionally, Requirement 11.1 now includes a recommendation for deploying wireless IDS/IPS technology to identify wireless devices in use. This is an alternative to using a wireless analyzer on a quarterly basis to find wireless access points. In larger or widely distributed environments where using a wireless analyzer would be a significant effort, deploying wireless IDS/IPS can be a more cost effective option.
Other Changes in PCI DSS v1.2
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewall policy review is now required once every six months. This is relaxed from the previous requirement of quarterly policy review.Requirement 3: Protect stored cardholder data
The term "encryption" has been replaced with "strong cryptography" to allow for other methods like masking, hashing, obfuscation, etc. This gives organizations more flexibility to meet the intent of the requirement by using the best methods available given their cardholder environment.Requirement 4: Encrypt transmission of cardholder data across open, public networks
Wired Equivalent Privacy (WEP) for securing wireless transmissions is being phased out. New implementations of WEP will not be allowed after March 31, 2009, and existing implementations must transition to more secure methods (such as WPA) by June 30, 2010.Requirement 8: Assign a unique ID to each person with computer access
Similar to the approach taken for Requirement 3, the term "encryption" has been replaced with "render unreadable" to provide more flexibility for merchants and service providers to fulfill the intent of the requirement.Requirement 12: Maintain a policy that addresses Information Security for employees and contractors
The term "employees" is now defined in the PCI DSS v1.2 to include full-time, part-time and temporary employees, as well as contractors and consultants who may be "resident" on the merchant/service provider’s site. This is to ensure that the Information Security Policy adequately covers everyone potentially involved in the cardholder data environment.
Going into effect on January 1, 2009, the PCI DSS v1.2 will have a considerable impact on most merchants and service providers. With economic conditions and increasing PCI compliance requirements, organizations should take steps to reduce security and compliance costs while making the most of their existing resources. Consult with a Qualified Security Assessor (like SecureWorks) to help identify opportunities to reduce the scope and cost of PCI and to ensure that you are fully addressing PCI requirements. Also, consider taking advantage of security services to cost effectively address PCI requirements for log auditing, firewall management, intrusion prevention, vulnerability scanning, compliance reporting, and other resource intensive processes.
SecureWorks Launches Service for Red Flags Compliance
On October 6, SecureWorks released a new service to assist financial institutions comply with the Identity Theft Red Flags Rule. Provided by our compliance experts and based on examiner expectations, this new Red Flags Program Development service helps banks and credit unions establish a comprehensive ID Theft Prevention Program to detect, prevent and mitigate identity theft.
Learn more about our new Red Flags Development Service
View our Red Flags Program Development Webcast
Cyber Security Awareness Month
Top Ten Ways to Stay Safe Online
Article courtesy of the National Cyber Security Alliance (StaySafeOnline.org)
The Internet is supposed to make our lives better, and for most of us, that's exactly what it does. But the Internet has a dark side, and unless we take the proper precautions, this wonderful tool can end up causing us more harm than good.
October is National Cyber Security Awareness Month, and it's a good time to take a hard look at how our online behaviors may be putting us in harm's way.
You don't have to be a computer genius to protect yourself online and you don't have to spend a lot of money. By following a few common sense tips, you can make the most out of your Internet experience, while protecting you and your family from online threats.
Protect your computer: The best thing you can do to keep the bad guys out of your computer is to use three inexpensive technologies: anti-virus software, anti-spyware software and a firewall. Some security companies provide all three in one easy-to-use package.
- Protect your identity: On the Internet, your personal data (social security number, birth date, etc.) is extremely valuable and can be used against you. Keep it protected.
- Protect your children: Children face unique risks on the Internet, and require unique rules and safeguards. Monitor your kids' online activities closely. There are many tools available to help you protect them from online threats.
- Stay up to date: Those security tools won't do any good unless you keep them up-to-date. You should be able to set them to update automatically. The same goes for your computer itself. It should be set to automatically install security updates.
- Email safely. Email is a favorite tool of online crooks. Even legitimate-looking messages can be scams. Learn how to filter for "spam" and spot the signs of scam emails.
- Protect your accounts. Choosing hard-to-guess passwords and changing them regularly can help prevent criminals from getting at your money or personal information.
- Make copies. Regularly backing up your music, photos and other important files can save you if your computer crashes or is stolen.
- Know your options. If something does go wrong, there are resources available to help get you back on your feet.
- Keep informed. Subscribe to the National Cyber Alert System from the U.S. Computer Emergency Readiness Team at www.us-cert.gov. Through the Alert System, you can receive timely information about current cyber security problems to protect home and office computers.
- Get your School involved. Suggest or sponsor an event at your local school or University designed to increase student and staff cyber security education and awareness. Download EDUCAUSE's cyber resource kit online at www.educause.edu.
For more information on all of these tips, including detailed guidance on how to protect your computer, your kids and your identity, visit the National Cyber Security Alliance at http://www.staysafeonline.org or get more information at www.OnGuardOnline.gov.
