PCI Data Security Standard UpdatedThe Payment Card Industry (PCI) has released its newest version of its data security standards (PCI-DSS). The version is designed to help protect transmitted charge and debit card information, and spells out a comprehensive vulnerability management program.
While not a banking regulatory standard, PCI was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International. It is a standard with which many banking institutions comply.
Industry information security experts say that following PCI-DSS 1.2 with access control testing, system monitoring and the implementation of documented enterprise-wide security policies will help companies remain out of the headlines and will also help streamline compliance. Recent high profile data theft cases show the need for these new stronger standards.
"This version 1.2 is the culmination of two years worth of feedback from PCI community on what they see are needed changes," says Bob Russo, General Manager of the PCI Security Standards Council. Much of the changes amount to clarification, tweaking and added flexibility of the existing requirements, and also includes best practices the council has been seeing in practice.
One major change regards secure wireless: WEP will no longer be accepted under Requirement 4. "We've drawn a line in the sand and are saying it will no longer be accepted, nor will we allow any new projects to use WEP after March 2009," says Russo. All current implementations need to end by June 2010.
The old PCI-DSS Version 1.1 will remain valid until December 31. For more details, visit the council's home page.