The Payment Card Industry standards for data security are central to any organization handling debit and credit cards, and many are keeping an eye on how PCI might evolve in 2009.
The PCI Security Standards Council (which sets the technical requirements for the PCI Data Security Standard) already has ushered in changes for next year, such as prohibiting merchants from new implementations of Wired Equivalent Privacy after March 31, 2009, because WEP is deemed too weak.
In the coming year, the council probably will tackle a number of new areas of concern, such as computer virtualization, where it may set security guidelines for use in card processing. Given virtualization's growing popularity, that has a lot of people paying attention.
“We just went virtual in July with our entire network, and it was a lot of work,” says Aaron Bills, chief operating officer at 3Delta Systems, which each year processes more than 5 million payment transactions worth more than $5 billion for more than 2,500 corporations and government institutions.
3Delta now has 50 Microsoft-based virtual servers running on about a dozen physical machines. The card processor elected to virtualize its infrastructure to simplify monitoring and save costs, particularly where it co-locates equipment.
Last August, 3Delta passed its fifth annual PCI security review by security assessor Fortrex Technologies, Bills says.
If the council determines there should be new security standards for virtualization, that could have an impact on 3Delta's network, as well as the card processor's merchant clientele, where virtualization is popular, too.
Some of today's PCI requirements “might seem to contradict virtualization, such as Section 2.2.1, which says there should be the implementation of only one primary function per server,” says Sumedh Thakar, PCI solutions manager for Qualys, which provides vulnerability-assessment scans required under PCI.
The PCI council has set up a special interest group on virtualization to look specifically at which new guidelines might be adopted regarding virtual machine environments, if any. Scanning virtual machines is also “definitely a challenge,” Thakar says.
Another topic the council is expected to look at closely next year pertains to the storage of credit card data before authorization. “Many people today don't realize PCI doesn't cover the storage of credit-card data before authorization,” Thakar says. Today, the major card brands, such as Visa and MasterCard, have their own rules in this regard, but PCI could come up with a unifying approach in 2009.
Bob Russo, the council's general manager, has said there is likely to be a discussion next year about how such security safeguards as encryption should be used in automated teller machines for processing personal identification numbers. Another important initiative will be to look at how end-to-end encryption might best be achieved in the payment-card environment.
If that effort bears fruit, a decidedly new PCI standard could emerge in the future for card protection
