The Payment Card Industry’s (PCI) Security Standards Council announced that a revised version of the Data Security Standard (DSS) would be finished by September 8. The new 1.2 version will be presented at the upcoming meetings in Orlando (for North America) and Brussels (for Europe). A possible compliance deadline for companies could be set on June 30, 2009, when PCI DSS 1.1 is expected to end its life cycle.

The PCI Security Standard Council is an organization set to develop and educate on the best security practices that companies handling sensitive information, like credit/debit card data, should implement. It oversees several standards like the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and Pin-Entry Device (PED) Requirements. The council is composed of companies such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., and works closely with merchants and companies that handle card processing.

Such security practices are necessary considering that losses resulted from credit card fraud are estimated at around $3 billion per year worldwide. However, the DSS proved a challenge, particularly for small merchants – according to some statistics, only less than 40% of companies that handle credit card data succeeding in passing the PCI audits and complying with the most important requirements. Because of this, the DSS version 1.1 prompted a lot of feedback, and the new DSS version 1.2 aims to clarify some of the policies and answer the 2,500+ questions received.

The standard is not yet final, but some significant changes are already shaping up. For example, reviews of firewall rules will be mandatory every semester, instead of every quarter, like they currently are. A significant change in wireless infrastructure security is also noted. In this regard, new implementations of the deprecated WEP (Wired Equivalent Privacy) algorithm meant to secure wireless networks will not be allowed after March 2009. Instead, everyone should adopt the latest encryption algorithms recommended for the IEEE 802.11 standard, like WPA or WPA2. On the other hand, some wireless security practices, like disabling the SSID broadcast, will no longer be mandatory, the reason being that this does not stop attackers from finding out the SSID.

Some other clarifications include the use of antivirus software on ALL operating systems, risk-based patching prioritization, and acceptance of both passwords and pass phrases for each person with computer access (with unique IDs). The revision will also clarify that restricted physical access and security procedures apply to all media containing card data, and not only electronic. The requirement that companies should keep, at all times, an audit-trail for at least the last three months is also specified. In regards to security testing, a clarification is made that both internal and external tests are mandatory.

Even though the DSS version 1.2 came less than two years after version 1.1, it was something forced by circumstances, with General Manager of the PCI Security Standards Council, Bob Russo, noting that "we're hoping to stick to a two-year cycle after that."