New emphasis on vulnerability-risk rating in networks for PCI data going into effect on June 30

By Ellen Messmer, Network World June 27, 2012

The Payment Card Industry (PCI) rules related to the security of customer card information play a big role in network design, and with some updated modifications to the PCI Data Security Standards (DSS) 2.0 guidelines kicking in at the end of the month, here’s what you need to know.

Bank hack: “Operation High Roller” has netted $78 million – so far

The main tweak to the 12-part PCI standard for compliance that kicks in at the end of June is related to a new requirement for “risk rankings to vulnerabilities,” says Alex Quilter, director of PCI at Qualys, who says it’s mainly associated with PCI rule 6.2 for secure systems and software. Any business dependent on processing customer debit and credit card information must now be able to show they not only are aware of known vulnerabilities, but can demonstrate that they have a process for ranking them according to risks to their own systems and software.

“This is an evolution of the requirements,” Quilter says. “You need to show a process for risk rankings.” This means obtaining information about known vulnerabilities from publicly-available sources, whether it’s vendor security alerts or elsewhere, and then prioritizing any risks to the organization’s network as relates to protecting PCI data, if that’s not done already. These risks need to be prioritized as high, medium or low.

Quilter says the new emphasis on vulnerability risk rating also means that the PCI DSS 11.2 rule is tightened up from its previous language on scanning requirements to now require that organizations show proof of passing an internal vulnerability assessment.

These assessments have to be done quarterly and after any significant change, and performed by a qualified source. The assessment has to show a “passing result,” he says. This means that what are considered “high” vulnerabilities to the internal network as related to securing PCI data that were defined in the PCI DSS 6.2 requirement, as updated, are “resolved.”