PCI version 1.2 is starting to make its rounds. Having been through 1.0, then 1.1, this new version continues to give me the warm and fuzzies about this regulation. Why? Because it's just so reasonable. I know people will take issue with that, but if you've been around regulations for awhile you know what I mean (does anyone remember HIPAA and all the cycles we went around on that? Or the SOX COBIT meat grinder?).
Amichai and I held a webinar last week. Recalling the rush around 1.1 as organizations tried to get their heads around the regulations, we decided to help folks get a head start. Our net take away is the old Hitchhiker's Guide to the Galaxy adage, "Don't Panic."
There were only 2 areas that really stuck out for me- a new AV clarification and a change to the wireless requirement.
The first warranted a chuckle - AV requirements now extend down to any OS. Great, but if you're an organization with a lot of OS's of different flavors you just got a big headache (and that's most of us). This one is definitely going to cause a conversation between auditors and clients. I would lay good money that this one gets clarified. In fact, this reminds me completely about the patch requirements. The previous version of PCI said organizations had 30 days to roll out the latest vendor patches. Sounds great in principal, but I talked to a number of customers who were having a hard time complying with that because they had a large number of patches to roll out. And guess what? Oh yeah, they probably needed to QA it first. Oh, and you have an SLA with your clients on when you can push patches? Poof, there goes your 30 days. I've seen a room full of adults yell on this one. But you know what? PCI 1.2 brings a reasonable compromise - you can now take a risk-based approach. Ah, so now you can move critical patches to the front of the line, prioritize those patches that affect your critical information and are facing the greatest risk, and roll out the rest behind it. This, I think, is how I see this new rule playing out - AV the systems most at risk, AV systems on OS that contain your critical data, and roll the rest in.
The other section that stood out is the dropping of WEP from the standard. I don't think many of us are surprised. But I suspect there are a good amount of WEP implementations out there. And I'd guess a lot of these products have been EOL'd by the manufacturers, and more than likely don't have firmware for the hardware that supports WPA/ WPA2. My comment - get over it. We all knew it was coming, we all knew about WEP's shortcomings, and PCI 1.2 is giving you plenty of time to do it. Budget for it and move on.
Anyway, it was a great discussion and I believe we were one of the first to host a Webinar on 1.2. Many thanks to Amichai - I think we were able to organize our thoughts around PCI 1.2 in a matter of a couple days and we pulled in almost 100 registrants with only 30 hours notice to users. If you haven't seen it, a recorded version is posted here.
Leave a comment