Aug 18 2008

Summary of PCI-DSS 1.2 changes available

Published by at 6:57 am under PCI

It’s not comprehensive, but the PCI Standards Council has published a summary of the changes you should be expecting in version 1.2 of the PCI standards. A couple of the big changes I noticed at first read through:

  • WEP encryption will no longer be acceptable on new implementations as of March 31, 2009 and not acceptable anywhere as of June 30, 2010.
  • Every OS must have AV (or a compensating controls worksheet to explain why you don’t have it)
  • Patching will be risk based rather than within 30 days
  • Plenty of other clarifications and updates.

According to this document, the full release is due October 1, 2008. This is only a few pages long and worth taking the 10 minute to read.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

7 Responses to “Summary of PCI-DSS 1.2 changes available”

  1. Benon 18 Aug 2008 at 9:33 am

    That AV requirement is just silly. I particularly like “Clarified that anti-virus software must address all known types of malicious software” because it could be met without providing any benefit. So, your AV needs to detect, what, a worm, a virus, a trojan, a bot, and what else? How do they define “type” of malicious software? Notice that they say “all known types” and not “all known instances” or some such thing. Ah, well, such is life in the prescriptive security universe, I guess… ๐Ÿ˜‰

  2. Martinon 19 Aug 2008 at 5:05 am

    I’m pretty certain that this will be met by explaining compensating controls, at least short term. It’s perfectly acceptable to not meet a specific PCI requirement such as this, providing you can explain the compensating controls you have in place that meet or exceed the initial requirement. If you’re not going to run AV, then explain how you’re running all of your services using limited accounts, the memory protections inherent in *nix systems and any other measures you use to prevent viruses. I don’t necessarily agree with the PCI Council, but I understand why they’re making this a necessity.

  3. Aaron Guhlon 19 Aug 2008 at 8:30 am

    I agree. With all the compliance standards out today, they are all more about accountability than anything else. They want to make sure that you can provide documentation on every process you business goes through that pertains to technology. If you complete a certain task, then you have to have documentation saying that it was completed. If you don’t install AV, then you have to be able to provide documentation stating the precautions taken showing that AV is not needed. If there was a certain transaction, you have to be able to provide documentation showing that transaction. If there was access to a specific file, then there must be documentation showing that access.

    Technically speaking it shouldn’t be hard for a security administrator to comform with any of those compliance standards. But a lot of times it is the audit documentation and paper trail part that can be hardest of it all.

  4. David Collinson 26 Aug 2008 at 3:14 pm

    “all operating system types” … “all known types of malicious software”

    I hope this doesn’t grow to include the firewalls, routers and switches that PCI data transits.

  5. […] Summary of PCI-DSS 1.2 changes: You might want the actual summary. […]

  6. […] Summary of PCI-DSS 1.2 changes: You might want the actual summary. […]

  7. Mikeon 01 Oct 2008 at 11:12 am

    We have a detailed review of the changes in PCI DSS v1.2 online:

%d bloggers like this: