Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

New PCI DSS Standards – No Worries If You Automate and Normalize

By Kamlesh Mehta
December 1, 2008
Payment Card Industry Data Security Standards impact all types of enterprises and can create risk beyond retail operations.


The PCI Security Standards Council released its latest version, 1.2, in October. According to the previews, the clarifications will offer improved flexibility to address today’s security challenges. However, this version will not contain any new, major requirements to the current twelve requirements. According to Bob Russo, general manager of the PCI Security Standards Council, “Version 1.2 should be seen as an improvement, not a departure from tried and true best security practices.”

   
Get all details on the changes at:
www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf.

   
New wireless network requirements seem to be a focus of the 1.2 revisions and it makes sense why – remember the TJX breach? Who can forget when 40 million credit and debit card numbers were stolen? The Department of Justice has stated that eleven individuals were charged and the indictment alleges that during the course of the sophisticated conspiracy, they obtained the credit and debit card numbers by “wardriving” and hacking into the wireless computer networks of major retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, The Sports Authority, Forever 21 and DSW.



Tighter Standards

Once inside the networks, the perpetrators installed “sniffer” programs that would capture card numbers, as well as password and account information, as they moved through the retailers’ credit and debit processing networks.

   
The PCI Security Council is tightening the ubiquitous airwaves. For instance, Requirement 2 states: Do not use vendor-supplied defaults for system passwords and other security parameters. This:

  • Clarifies that the requirement applies to wireless environments “attached to cardholder environment or transmitting cardholder data”
  • Removes references to Wired Equivalency Privacy (WEP) in order to emphasize using strong encryption technologies for wireless networks, for both authentication and encryption
  • Removes requirement to disable Service Set Identifier (SSID) broadcast since disabling SSID broadcast does not prevent a malicious user from determining the SSID, as the SSID is broadcast over numerous other messaging/communication channels.

The requirement seems simple enough after all, even home-based wireless network users activate Wi-Fi Protected Access (WPA) and change default passwords. But when you take into account the fact that these Level 1 and Level 2 merchants have hundreds and sometimes thousands of store locations, human error caused by repetition or boredom can cause a configuration slip. Automating the process of maintaining configurations, password rotation and Access Control Lists (ACLs) can greatly help reduce fatigue and lockdown wireless routers.

   
ACLs provide added security to the network. An ACL filters the network traffic by controlling the routed packets that pass through the router interface. The router acts as a firewall to help determine what packets can be passed through or dropped, depending on the access rules or the criteria specified.

   
And, as for password rotation, automation makes password changing and management a bit easier. With the help of automation, IT and physical security professionals can assign resources to users based on business roles and policies, all necessary approval workflows are automated, which helps improve security. Automation also makes it easier to manage users’ access needs instead of having to rely on a network administrator – roles change and access rights are updated automatically. Here again, the benefits of automating IT change and configurations transfers from one version of PCI requirements to the next without having to make another investment.

   
Automation also assists with enhancements to Requirement 8: Assign a unique ID to each person with computer access. This:

  • Clarifies that testing procedures must verify that passwords are unreadable in storage and transmission.
  • Clarifies user authentication by allowing both passwords and passphrases, and by combining previous bullets under “two-factor authentication” and providing examples.

Aside from the wireless requirements, the PCI Security Council is also focusing on secure systems and applications as well as monitoring access to network resources. Requirement 6.6 is now mandatory. All public-facing Web applications are subject to either reviews of applications via manual or automated vulnerability assessment tools or methods; or installing an application-layer firewall in front of public-facing web applications.

   
Requirement 10: Track and monitor all access to network resources and cardholder data:

  • Clarifies that logs for external facing technologies (for example, for wireless, firewalls, DNS and mail) must be copied to an internal log server.
  • Provides flexibility and clarifies that three months of audit trail history must be “immediately available for analysis” or quickly accessible (online, archived or restorable from backup).

Again, automating the procedures of change and configuration management applicable to Requirements 6.6 and 10 will provide a valuable asset – but only if it can be scaled across the entire IT infrastructure. Just focusing on network devices, routers or servers will not be sufficient. Holes will still be left in applications and now, virtual devices. The only plausible solution would be to normalize all changes and all configurations via one solution – cutting across IT silos and building in-depth reports for internal use as well as for auditors.

   
In conclusion, automating the process of administrating and tracking all IT changes and configurations helps “future-proof” processes against new revisions to existing PCI requirements. This approach also shores-up the entire IT infrastructure and lays a solid foundation that scales across Sarbanes-Oxley, HIPAA, the Gramm-Leach-Bliley Act and other mandates as well.  

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Kamlesh Mehta founded nSolutions (www.nsolutionsinc.net) and serves as the CTO and VP of engineering at nSolutions.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing