[ISN] Forthcoming PCI changes will bring challenges for payment card network community

http://www.networkworld.com/news/2013/100113-pci-274386.html By Ellen Messmer Network World October 01, 2013 Organizations that make use of SSH keys for secure access to servers should be aware that they may need to make some changes soon when it comes to managing any of their networks related to payment-card processing, according to the CEO of SSH Communications security, Tatu Ylonen. That’s because the next version of the Payment Card Industry (PC) standard to be published in early November, PCI v.3, is expected to include some new guidance on authentication and remote access to any network segment that processes or stores payment cards that could impact use of Secure Shell (SSH) cryptographic technology, Ylonen says. “Key access clearly can be used in a PCI environment,” Ylonen notes. “But key access across from a boundary forces problems.” Any organization storing or processing payment cards must follow the PCI standard’s requirements for network security. SSH keys are often used for automated machine to machine security and SSH keys grant access with a password, Ylonen notes. Boundaries for PCI networks define segments in which card storage or processing takes place — often called PCI network “scope” — and it must conform to PCI requirements as defined in the PCI Data Security Standard (DSS) published by the PCI Security Standards Council. Ylonen says he is encouraging systems administrators — the individuals often responsible for setting up SSH key management for enterprise networks — to start discussions about the upcoming PCI DSS v.3 standard with those in their organization most involved in making sure there will be PCI compliance. These individuals might be chief security officers, CIOs or internal auditors, for example. From what he’s seen of the draft of the PCI v. 3 standard, Ylonen says, “the rules themselves are good but guidance is vague.” […]