Gary Palgon
Vice President, Product Management
nuBridges
On August 18th, the PCI Security Standards Council released a four-page summary document outlining proposed changes in the upcoming 1.2 version of the PCI DSS. Version 1.2, due out this October, is the first update since September 2006. It includes recommendations from retailers, security product vendors, developers and financial institutions. As a member of the Security Standards Council, nuBridges has had an opportunity to review the draft and will participate once again in the Council’s Second Annual Community Meeting.
While version 1.2 doesn’t introduce any major new requirements, it does provide greater clarity on all 12 PCI DSS requirements; offers improved flexibility; incorporates best practices; and eliminates redundant sub-requirements. Here’s a preview of a few of the changes included in the August 18th draft:
Clarifies requirement for disk encryption to emphasize local user account databases.
Makes requirement 6.6 mandatory – all public-facing Web applications are subject to either 1) reviews of applications via manual or automated vulnerability assessment tools or methods, or 2) installing an application-layer firewall in front of public-facing Web applications.
Expands list of critical employee-facing technologies that must be part of a company’s security policy to include “remote access technologies, wireless technologies, wireless technologies, removable electronic media, email usage, Internet usage, laptops and Personal Data Assistants (PDAs).”
Emphasizes that the requirement to secure media extends to electronic and paper media containing cardholder data.
Do you have a question, comment or suggestion that you’d like me to voice at the Council’s upcoming meeting? Just let me know!
Until next time,
Gary
