Wireless networks and non-Windows based platforms affected

By Susan Lyon

The Payment Card Industry (PCI) Security Standards Council posted Version 1.2 of the PCI Data Security Standards (PCI DSS) on October 1. The major credit card companies require compliance with the PCI DSS rules via contracts with merchants and their vendors that accept and process credit cards. The new rules come out as many retailers still struggle to comply with Version 1.1. As several of the changes clarify or even ease former obligations, Version 1.2 will help, in some ways, with that compliance.

A few of the changes, however, may add to those struggles. Significant changes include heightened security requirements for wireless networks and expanded requirements to deploy anti-virus software beyond Windows-based platforms, including systems like UNIX. Merchants and vendors subject to PCI DSS rules should note these changes.

Significant changes

Significant changes in Version 1.2 of the PCI DSS that may impact your business include:

  • Heightened protections for wireless networks transmitting cardholder data, "or connected to cardholder data environments," including requirements to:

          o Verify compliance with industry best practices (e.g., IEEE 802.11i) to strongly encrypt authentication and transmission of cardholder data
          o Cease use of WEP (Wired Equivalent Protocol), an algorithm used to secure wireless networks. Security experts generally consider WEP to be a less secure method for protecting wireless data than other methods, such as WPA.
          o Version 1.2 sets deadlines to stop use of WEP at the following future dates:  
                + No new use of WEP can be put in place after March 31, 2009.
                + All use of WEP must cease after June 30, 2010.
          o Cost of conversion from WEP to WPA can be quite costly for many companies.

  • Extended need to deploy anti-virus software to all platforms. The former rule was understood to apply only to Windows-based systems. The new rule applies to any systems, including UNIX. The new rule also states that anti-virus software must guard against all known types of malicious software.


  • Make mandatory the protection of public-facing web applications by either (1) reviewing and patching vulnerabilities, or (2) installing web-application firewalls. Version 1.1 had initially described these options simply as a best practice, giving until June 30, 2008 before becoming a rule. So technically, the compliance date had already passed, but issuance of Version 1.2 serves as a good reminder of this requirement.


  • Added requirement to render passwords unreadable both in storage and in transmission. The prior rule only required passwords to be unreadable in transmission.

Other changes of note include:

  • Increased responsibilities to create documents of certain processes. Such additional documentation includes: a diagram of the network showing cardholder data flows; documents to verify placement of firewall and router rule sets; log reports of audit trail histories; and forms for attestation of compliance for onsite assessments to be completed and signed by merchants/service providers and Qualified Security Assessors (QSAs).


  • Specified list of critical employee-facing technologies needing review. That list includes: "remote access technologies, wireless technologies, removable electronic media, email usage, Internet usage, laptops, and personal digital assistants."

Clarifications/Relaxed Requirements
Many of the changes simply clarify rules, however, a few changes allowed for more flexibility, including:

  • Relaxed firewall and router rules set review frequency to every six months. Formerly, reviews were set to quarterly.


  • Replaced prescriptive requirement to use WPA (Wi-Fi Protected Access) or WPA2 (an advanced protocol that fully implements the 802.11i standard) to update firmware in a wireless environment. The new standard no longer mandates a specific type of technology. Instead, it provides more flexibility by simply requiring "strong encryption" technology.


  • Clarified that internal and external penetration testing does not require use of a QSA or Approved Scanning Vendor (ASV). Penetration testing involves testing the vulnerability of a system by simulating an attack. Such testing can be done internally or using a regular third-party vendor. Individuals doing the testing, however, must be qualified and independent. If internal resources are used rather than external vendors, those individuals should be organizationally separate from those managing the tested system.


  • Removed requirement to disable broadcast of SSID (Service Set Identifier, the name of a wireless network that gets displayed as a choice for users to connect to). Previously, it was thought that disabling broadcast of SSIDs would help secure networks. The current approach takes into account the fact that SSIDs cannot truly be secured. Despite disabling broadcast of SSIDs available for connection, once users actually connect to a network, networks display SSID in the clear.

Action items for your business

  • Determine, if you use wireless networks, whether to transmit cardholder data or in connection with systems that do. If you do, review your security standards to ensure compliance with IEEE 802.11i. Put in place a plan to eliminate implementation of new use of WEP after March 31, 2009 and cease any ongoing use of WEP after June 30, 2010. As this can be a costly undertaking for many companies, be sure those in your organization who set technology budgets plan appropriately for this.


  • Assess whether you use any non-Windows based platforms. If so, explore procurement of the many new anti-virus solutions for non-Windows based platforms. Prioritize roll-out to systems core to processing card holder data or in close connection to such central systems. Also, consider more vulnerable systems like personal computers.


  • Review your processes for protecting public-facing web applications. First consider a process for regular review and patching of application vulnerabilities. If patching of applications is not feasible, consider as an alternative the installation of web-application firewalls. Addressing application vulnerabilities is generally considered to be a better security practice. Web-application firewalls, however, can be a good stop-gap solution until vulnerabilities can be addressed or if patching applications is not practical, for example, where older applications are soon to be replaced.

As Katherine Race Brin, attorney with the Federal Trade Commission‘s Division of Privacy and Identity Protection, noted at a recent data security workshop, data security compliance is an "ongoing process." As part of that process, you should regularly review your payment card security practices. At minimum, think about taking the actions described above. This is a good time, however, to consider whether you are due for a more thorough review. You may find the relaxed or clarified requirements help you realize significant savings. On the other hand, your review may reveal new obligations and risks which you will now need to find budget to solve. Whether you think you have achieved PCI compliance or continue to strive to get there, the release of this latest version of the PCI DSS should prompt you to revisit your current practices.

Susan Lyon, of counsel in Perkins Coie's Privacy & Security practice, provides practical advice to a broad range of multinational companies on privacy, data security, online safety and Internet laws. Her practice also includes regulatory compliance counseling, litigation, and legislative policy. Prior to Perkins, Ms. Lyon was in-house privacy counsel for Microsoft Corp. and Dell Inc. Ms. Lyon's updates on privacy and data security law can be found at the Perkins' Internet law blog, You can email her at slyon@perkinscoie.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it or find her on Facebook.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»