Changes to PCI rules: What you need to know

The Payment Card Industry (PCI) rules related to the security of customer card information play a big role in network design, and with some updated modifications to the PCI Data Security Standards (DSS) 2.0 guidelines kicking in at the end of the month, here's what you need to know.

Bank hack: "Operation High Roller" has netted $78 million - so far

The main tweak to the 12-part PCI standard for compliance that kicks in at the end of June is related to a new requirement for "risk rankings to vulnerabilities," says Alex Quilter, director of PCI at Qualys , who says it's mainly associated with PCI rule 6.2 for secure systems and software. Any business dependent on processing customer debit and credit card information must now be able to show they not only are aware of known vulnerabilities, but can demonstrate that they have a process for ranking them according to risks to their own systems and software.

"This is an evolution of the requirements," Quilter says. "You need to show a process for risk rankings." This means obtaining information about known vulnerabilities from publicly-available sources, whether it's vendor security alerts or elsewhere, and then prioritizing any risks to the organization's network as relates to protecting PCI data, if that's not done already. These risks need to be prioritized as high, medium or low.

Quilter says the new emphasis on vulnerability risk rating also means that the PCI DSS 11.2 rule is tightened up from its previous language on scanning requirements to now require that organizations show proof of passing an internal vulnerability assessment.

These assessments have to be done quarterly and after any significant change, and performed by a qualified source. The assessment has to show a "passing result," he says. This means that what are considered "high" vulnerabilities to the internal network as related to securing PCI data that were defined in the PCI DSS 6.2 requirement, as updated, are "resolved."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Secure Virtualization of Business Applications

Run your mission-critical applications in a secure and compliant virtual datacenter, or private cloud.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »