PCI Council to Merchants: Kiss Your WEP Goodbye

The security savvy know WEP is full of holes and shouldn’t be used. That’s not stopping some merchants from doing just that.

As a result, the PCI Security Standards Council is mandating its eradication in the next two years. The first step toward that is some fresh language on wireless security in the next version of the PCI Data Security Standard (PCI DSS).

The council released a summary of PCI DSS Version 1.2 earlier this week and will officially launch it Oct. 1. Among other things, the council will remove references to WEP security and instead push organizations to use stronger forms of wireless network encryption. New WEP deployments won’t be allowed after March 31, 2009, and current implementations must stop using WEP after June 30, 2010.

In this Q&A, PCI Security Standards Council General Manager Bob Russo and Technical Director Troy Leach explain the reasoning behind the move as well as other changes in Version 1.2.

CSO: What will people notice the most about Version 1.2?

Bob Russo: I think the top-of-mind here should be clarity — making sure people understand specifically what the intent [of the standard] is. This is the culmination of two years of feedback the council has received. We’ve clarified specifics as to what needs to be secured. In some instances we’ve had to put a line in the sand and let people understand we’re moving away from some things at some point.

Give an example of that.

Russo: Wireless is a major area. We’ve had to make some specific clarifications and let people know we are eventually moving away from WEP & We need to let people know there are other technologies available and that it’s time we moved on to some of those new technologies.

What’s the timetable for no longer allowing anything with WEP?

Russo: I don’t think you can draw absolutes. There are always exceptions to the rules. But what we’ve stated in the summary is no more new implementations of WEP after March 1, 2009 and the current implementations have to stop by the end of June 2010. There will always be issues and we’ll need to move slowly and deal with problems on a case-by-case basis. But we need to let people know we are moving away from WEP.

For those who may not have the background on wireless security, talk about why WEP needs to be done away with.

Troy Leach: There are inherent authentication vulnerabilities in WEP. That’s why even in PCI DSS Version 1.1 we put in a lot of caveats to using WEP; a lot of additional requirements for using it. If you deploy WEP, there are sub-requirements that became a little confusing for some of the merchants so we decided to follow what the rest of the industry is pushing and move toward a [better] wireless security standard.

Talk about some of the other aspects of the standard where people have clamored for better clarity.

Russo: One area that rose to the top was patch management and the need for installing patches within 30 days. In a large enterprise sometimes that may not be possible because of testing procedures. In some cases, based on the risk of the specific patch, the affect may not be so great. But if it’s a critical patch for a big gaping hole you don’t want to delay getting that in because there’s a huge vulnerability there. In those instances 30 days or sooner is prudent on the part of the merchant. But there are others who require a longer testing plan, so we offer some flexibility there. If you take a risk-based approach, depending on what the patch is, we would allow longer than 30 days.

Leach: Another good example is that in Requirement 9, before, in Version 1.1, we said all off-site storage had to be visited periodically. There was confusion in the market over what we specifically meant by periodically. So with this version of the standard we tried to remove all the ambiguity and say that on at least an annual basis, off-site storage should be visited to make sure all the security procedures are in place.

Russo: In the same specific requirement we were talking about whether paper needs to be included in this as well. We’ve now clarified that it certainly needs to be.

When can the industry expect the next PCI DSS update?

Russo: Generally we work on a two-year lifecycle. What you’re seeing now [with Version 1.2] is the culmination of a year and a half to two years worth of feedback and input. And this is only a summary of changes. We’re still tweaking this, and there will be more meat by the time this is released in early October.

In the big picture, are most merchants doing what they really need to be doing to meet this standard?

Russo: I think most people are using the standard as a springboard to get secure not just with credit card data but for the entire enterprise. Based on the questions and feedback I get in my travels, I see people looking at this as more of a security issue than a list of boxes on a sheet to be checked off.

Leach: Compliance with PCI has led many organizations to discover the value of security.