PciAnswers.com (Aegenis Group) posted today on the differences in PCI DSS version 1.1 and 1.2.
For me personally as a consumer, I appreciated seeing deadlines being set for WEP usage.
* New implementations of WEP are not allowed after March 31, 2009
* Current implementations must discontinue use of WEP after June 30, 2010
WEP is seriously dead and dangerous technology and should not be used in or within reach of a network containing cardholder data. Remember some years ago, when people used to sit outside WalMart and sniff CC-data?
The deadlines seem to be a bit too far into the future though, but my guess is that the time is needed for the larger merchants in order to change legacy devices. On the other hand, this should already have been done years ago.
When it comes to Requirement 5, the anti-virus one, they note something I discarded in earlier posts:
* At first glance it appears that version 1.2 reverts to an older form of the standard by mandating “anti-virus software applies to all operating system types” but it quickly clarifies the intent still as those systems “commonly affected by malicious software.” Although the reference to UNIX is removed, it does state that companies should deploy on such systems “if applicable anti-virus technology exists.”
Requirement 10 has also been modified and now mandates that you retain your logs for at least one year, with the last three months available for immediate analysis. In other words you can rotate away your logs to an archiving facility after three months and just keep the current data in your live logservers.
For me, and all Panda Security business & enterprise customers, this means modifying the variables for the built-in log retention even further. Previously we’ve extended the period only to three months to prevent excessive information in the console (which makes it sluggish) together with syslog logging which has been rotated according to the company at hand’s internal routines.
A lot of more news was presented and is available in an easily readable format at pcianswers.com.
Tags: 1.2, changes, news, PCI DSS, pcianswers.com
Recent posts
- Wonderful networking cheat sheets…
- Monty Python goes 2.0
- Q.P - On my way to Borås & Jönköping…
- Does this mean…
- Aspire One wallpaper, Tree
Categories
- censorship
- cryptography
- democracy
- dns
- exploit
- fraud
- linux
- malware
- microsoft
- misc
- networking
- party
- patents
- personal
- privacy
- programming
- reverse engineering
- security
- standards
- vista
- webapps
- work
Links
- Anti-virus Rants
- Henrik Alexandersson (HAX)
- Nyström’s fotoblog
- Opassande
- Oscar Swartz
- Panda Labs
- Panda Research
- PCM International
- Piratpartiet
- Rick Falkvinge (pp)
- Rosetta Sten
sdas
All photos and media by Daniel Nyström that is published on this site is licensed under a Creative Commons Attribution-Share Alike 2.5 Sweden License if nothing else is mentioned in the caption or description.