Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Aug 22, 2008

PCI DSS update

An update to the Payment Card Industry Data Security Standard (PCI DSS) has been announced with a preview/summary of the changes due for release in version 1.2 on 1st October.

Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by.

Examples of "critical employee-facing technologies" that ought to be covered by security policies will be expanded to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)". I'm pleased to say that we have been covering those issues for years in the NoticeBored security awareness service, and will be covering them all before the end of this year [RATs were mentioned in the malware module in March. We're currently finalizing next months module on email security right now, and researching for a forthcoming module on 'securing portable IT devices' for release in December.]

Employees will be required to acknowledge that they have read and understood the company’s security policy and procedures “at least annually”. Note the wording: employees will have to acknowledge the policies and procedures. Management's focus will be on getting bits of paper signed or learning management systems ticked once a year, rather than confirming that employees actually understand and recall the policies or pushing for more frequent awareness and training. That's another opportunity missed. Ho hum.

Against this background, I'll be just a touch more cynical next time someone complains about the 'PCI DSS compliance overhead', and even more careful about giving anyone my payment card details.

[Thanks to the Security Warrior, Anton Chuvakin, for alerting me to this. Anton's home turf is security logging but like many infosec pros, he has fingers in many pies.]