Changes to PCI rules: What you need to know

Ellen Messmer (Network World)
27 June, 2012 21:36
Comments

The Payment Card Industry (PCI) rules related to the security of customer card information play a big role in network design, and with some updated modifications to the PCI Data Security Standards (DSS) 2.0 guidelines kicking in at the end of the month, here's what you need to know.

Bank hack: "Operation High Roller" has netted $78 million - so far

The main tweak to the 12-part PCI standard for compliance that kicks in at the end of June is related to a new requirement for "risk rankings to vulnerabilities," says Alex Quilter, director of PCI at Qualys , who says it's mainly associated with PCI rule 6.2 for secure systems and software. Any business dependent on processing customer debit and credit card information must now be able to show they not only are aware of known vulnerabilities, but can demonstrate that they have a process for ranking them according to risks to their own systems and software.

"This is an evolution of the requirements," Quilter says. "You need to show a process for risk rankings." This means obtaining information about known vulnerabilities from publicly-available sources, whether it's vendor security alerts or elsewhere, and then prioritizing any risks to the organization's network as relates to protecting PCI data, if that's not done already. These risks need to be prioritized as high, medium or low.

Quilter says the new emphasis on vulnerability risk rating also means that the PCI DSS 11.2 rule is tightened up from its previous language on scanning requirements to now require that organizations show proof of passing an internal vulnerability assessment.

These assessments have to be done quarterly and after any significant change, and performed by a qualified source. The assessment has to show a "passing result," he says. This means that what are considered "high" vulnerabilities to the internal network as related to securing PCI data that were defined in the PCI DSS 6.2 requirement, as updated, are "resolved."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

"How many of the Fortune 500 companies have access to PRISM? https://en.wikipedia.org/wiki/Industrial_espionage ..."

Australia suspected to have PRISM data: Ludlam
"I don't fall into their whinging crap . In the last eight ..."

Australia Post’s mail business to lose $200 million this year
"Australia Post may have a monopoly on letters, but there are heaps ..."

Australia Post’s mail business to lose $200 million this year
"Totally overblown. iWork is a joke for real productivity. It is like ..."

Microsoft's ambivalence about Office on the Web gives Apple shot with iWork on iCloud
"Any chance of seeing the actual screenshot referenced here? "Another common context ..."

3 Lessons Learned From a Failed Customer Feedback Test

Latest Blog Posts

Whitepapers

Real-Time Protection Against Malware Infection
Malware is at such high levels (more than 60 million unique samples per year) that protecting an endpoint with traditional antivirus software, has become futile. More than 100,000 new types of malware are now released every day, and antivirus vendors are racing to add new protection features to try to keep their protection levels up. Read more.

Learn more »
Cloud Computing for Midsize Businesses: Delivering Innovation and Efficiency
It’s time for midsize companies to start thinking differently about infrastructure. This white paper provides a brief overview of cloud computing, explains how midsize companies can benefit, and describes the steps they can take to take advantage of what it has to offer. Read now.

Learn more »
Saving Time and Money with Savvy Use of Flash in Automated Storage Tiering
In a sluggish economy, getting the best ROI on every IT dollar spent is the top priority for almost every business. Storage budgets in most IT environments continue to remain flat or are capped as a percentage of the overall IT spend, while data storage requirements continue to grow at an unsustainable pace. Download now to learn about the benefits of using flash in automated storage tiering.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

Six Reasons to Empower Your SharePoint Citizen Developers

More and more business applications are being created by “citizen developers” - end users who are not IT developers but who create solutions for themselves and their groups. This white ...

Recent comments

"How many of the Fortune 500 companies have access to PRISM? https://en.wikipedia.org/wiki/Industrial_espionage ..."
Australia suspected to have PRISM data: Ludlam
"I don't fall into their whinging crap . In the last eight ..."
Australia Post’s mail business to lose $200 million this year
"Australia Post may have a monopoly on letters, but there are heaps ..."
Australia Post’s mail business to lose $200 million this year
"Totally overblown. iWork is a joke for real productivity. It is like ..."
Microsoft's ambivalence about Office on the Web gives Apple shot with iWork on iCloud
"Any chance of seeing the actual screenshot referenced here? "Another common context ..."
3 Lessons Learned From a Failed Customer Feedback Test

Follow CIO

Market Place

Now out of the office never means out of the loop. Office 365 – your complete office in the cloud.

Deploying mobility worthwhile challenge hear what CIOs have to say.. Read more

Security 2013 Exhibition: 160 brands, new innovations, expert speakers & more, register now.

SolveXia’s key tips for CIOs seeking improved productivity through automation. Click here

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Changes to PCI rules: What you need to know

Recommended

IoT: Aussies prepare to ship Wi-Fi connected lightbulbs

Some Aussie data centre operators not measuring power ...

Social data tool reveals value of an individual ...

Debating the digital economy

Why the fuss about big data?

Homeless multinationals and taxing decisions

10 Tips for Dealing with a Bully Boss

How to define the scope of a project

5 open source help desk apps to watch

Australia suspected to have PRISM data: Ludlam

PMBOK vs PRINCE2 vs Agile project management

Online shopping reaches mainstream status

Why Agile Isn't Working: Bringing Common Sense to Agile Principles

Australia Post’s mail business to lose $200 million this year

Australia suspected to have PRISM data: Ludlam

Microsoft's ambivalence about Office on the Web gives Apple shot with iWork on iCloud

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

Six Reasons to Empower Your SharePoint Citizen Developers

Enterprise Mobility Management: Embracing BYOD Through Secure App and Data Delivery

Webroot® SecureAnywhere™ Business - Endpoint Protection Technocal Overview

How to Boost the CIO’s Personal Effectiveness

Analyst Paper: Total Cost of Ownership