DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
August 29, 2008
New security rules on tap for credit-card handlers
ICompanies that handle credit cards can expect to see revised security rules released in early October, according to the group responsible for maintaining the Payment Card Industry security standard for storage and processing of credit and debit cards.
The next version of the 12-part PCI Data Security Standard is aimed at clarifying questions that merchants and service providers had regarding the current PCI DSS 1.1 standard, says Bob Russo, general manager of the PCI Security Standards Council. Some changes in the forthcoming Version 1.2 may prompt merchants and service providers to make adjustments in their security practices to achieve PCI compliance in the future, he adds.
"We're still tweaking this, but we expect to be finished by September 8th," Russo says. DSS 1.2 will be shared with council members including merchants; card association founders, such as Visa and MasterCard; card processors; and vendors certified to perform network scans or audits as part of the PCI compliance process.
The PCI DSS 1.2 document will be presented at the council's upcoming community meetings in Orlando and Brussels. Upon the official October publication of PCI DSS 1.2, the council will set deadlines for supporting the revised standard. Under discussion now is a sunset date of June 30, 2009 for PCI DSS 1.1.
PCI DSS 1.2 is not yet final, but the council is previewing what businesses can expect to see by October.
For one thing, there will be a clarification on the first rule related to using firewalls to protect cardholder data; the revised standard will change the requirement to review firewall rules from every quarter to every six months.
The council also will remove references to Wired Equivalency Privacy (WEP) to emphasize the use of stronger encryption and authentication for wireless networks. Companies using wireless technologies will be expected to implement "industry best practices," including 802.11x. Specifically, new implementations of WEP are not expected to be allowed after March 31, 2009, though current implementations could continue longer -- until June of next year, under the council's current thinking.
In addition, the revised standard probably will remove the requirement to disable service-set identifier (SSID) broadcast, because disabling SSID broadcast does not prevent a malicious user from determining the SSID, according to the council.
Among other clarifications, the revised standard will note that the requirement to use antivirus software extends to all operating system types. Software patching revisions will clarify that a "risk-based approach" for prioritization of patch installation is acceptable. In the matter of assigning a unique ID to each person for computer access, the Version 1.2 standard is expected to clarify that both passwords and passphrases — authentication challenges that require answers that the user should know — are acceptable for PCI compliance.
A clarification related to restricting physical access to cardholder data makes it clear that this requirement also pertains to paper-based media containing cardholder data, as well as electronic media.
Some other clarifications are expected to detail the need for a protected environment to preserve an audit trail for network resources related to cardholder data. For instance, revised language will clarify that three months of audit-trail history must be immediately available for analysis or quickly accessible. In addition, the council will seek to clarify that both internal and external penetration tests are required.
After the release of PCI DSS 1.2, the next major change to the PCI security standard isn't likely soon, Russo says. "We're hoping to stick to a two-year cycle after that," he says. PCI DSS 1.2 has been under discussion for more than a year as the council reviewed the 2,500 questions it received.
Source: NetworkWorld
All news for November, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
