PCI council focuses on security standards and requirements

American Express, Discover, JCB, MasterCard and Visa have created an independent PCI standards council

The much anticipated update to the Payment Card Industry (PCI) Data Security Standard has been announced by the PCI Security Standards Council, an independent council created by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International that will manage the standard going forward. The council's first official act was the release of version 1.1 of the PCI standard.

Version 1.1 clarifies existing requirements as well as adds some requirements, but contrary to speculation over the past few months, it does not relax or water down security requirements for merchants and vendors. Specifically, there had been speculation that the encryption requirement would be relaxed and that organisations would have to scan only for SQL injection and cross-site scripting vulnerabilities. Neither proved to be the case.

"There is definitely not a reduction in security," said Seana Pitt, chairperson of the new PCI Security Standards Council and group vice president of global merchant policy and data quality for American Express. "One of the key objectives is addressing emerging threats and finding ways for us to allow key stakeholders to apply the standard more efficiently within business. Some [of the update] has been cleaning up imprecise language and recognising compensating controls -- there is more than one way to make sure data is secure -- and to give more pathways that merchants can show they can do those things."

Also of note, she said, is the new requirement under section 6, which is to develop and maintain secure systems and applications. The new 6.6 requirement states that all custom application code must be reviewed for common vulnerabilities by an organisation that specialises in application security or there must be a Web application firewall installed in front of Web-facing applications. This requirement will be considered a "best practice" until 30 June 2008, and then it becomes a requirement.

Pitt said with the addition of this best practice, as well as addressing implementation concerns and emerging threats, "we believe we're raising security."

Jeremiah Grossman, founder and CTO of WhiteHat Security in Santa Clara, Calif., called section 6.6 "probably the most significant change. A mandate of source code review for custom Web applications is huge -- it's something every expert will recommend."

The challenge, though, is the amount of source code out there, he said. The option to install a Web application firewall may be the easier solution, he said. "Customers are still leery about putting [a Web application firewall] in front of a production network because it has the ability to block legitimate traffic," he said.

But Grossman said he has been recommending organisations install the ModSecurity open source Web application firewall. "If the choice is a source code review or a Web application firewall, I think it will be easy for customers to install ModSecurity and call it a day," he said.

Dr. David Taylor, vice president data security strategies at Protegrity, which sells a Web application firewall, is naturally "pleased about that." Compared with changing development practices to incorporate security, "it turns out a firewall is lot easier to get." However, he added, "if the goal is to postpone everything for as long as possible, I guess people will wait for 2008."

Taylor said postponement was a tactic some organisations were taking with PCI compliance, hoping the update would relax some of the security requirements. "I did see a number of people waiting to implement PCI because they were thinking either the regulations would get easier to comply with or would be relaxed in one way or another."

But "PCI is not getting softer," he said. "People had been telling me they'd been told you're not going to have to encrypt anymore. The nice thing is, 1.1 specified what compensating controls must do and how you determine whether a compensating control is effective or good, but they haven't given people an easy out."

The council's role
While the standard is staying rigorous about security, the process itself is opening up to a wider community -- something those in the security community have said they wanted to see. With the formation of the council, merchants, payment devices and services vendors, processors, financial institutions and others now have the opportunity to participate in the new organisation and contribute to the evolution of the standard. All of the five founding members have agreed to incorporate the PCI standard as the technical requirements of each of their data security compliance programs. Enforcement, however, will be left up to the individual credit card brands.

The council's Pitt said she does not anticipate that the five payment brands will vary from or add to the requirements on an individual basis. "My expectation is that the PCI data security standard will be the technical foundation for all brands going forward; each will drive additions through the council. I don't see individual effort happening at this point in time. There is a huge commitment to ensure that standards are well adopted."

As for any vendors that have been certified by the individual brands to provide PCI compliance services, they will be re-contracted by the council when their certification comes due, and the council will maintain a list on its Web site of all certified vendors that will recognised by all five credit card brands, Pitt said.

"The formation of a new committee is pretty interesting," Grossman said. "It makes complete sense that all the brands are working together."

Read more on PC hardware