InternetNews.com reports on the PCI Security Standards Council latest version 1.2 of PCI Data Security Standards, or PCI-DSS available for merchant use beginning Oct. 1. The Council says version 1.2 will "not introduce any major new requirements" and will only "introduce clarifying items." The clarifications include:
- Addition of monitoring capabilities for removable electronic media, e-mail, Web, laptops It also adds monitoring capabilities for removable electronic media, e-mail, Web, laptops and PDAS.
- Wired Equivalent Privacy, or WEP wireless security protocol dropped in favor of the newer IEEE 802.11x standard.
- Tightening of security requirements for employees of companies the PCI-DSS governs.
- Security policy requiring employees to acknowledge that they have read and understood their security policy and procedures at least once a year.
- New wireless networks implementations cannot use WEP implementations after March 31, 2009 and current implementations must get rid of WEP by June 30, 2010.
Sumedh Thakar, PCI solutions manager at Qualys, told InternetNews.com he welcomes these changes because a vulnerability scan is more doable and less expensive than going through your source code. Instead of having to go through possibly millions of lines of source code, companies can run a scan then focus on detected vulnerabilities in the code and remedy those. Another change that Thakar likes is the Council’s formally ruling out the use of WEP, which has, since 2001, been known to be easy to crack. "The standard has always recommended that WEP not be used, but now they’re putting in a timeline," added Sumedh.