PCI group releases wireless security guide

By Marcia Savage, Features Editor, Information Security magazine 16 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Merchants who need help in securing their wireless networks to comply with the PCI Data Security Standard now have a step-by-step guide.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The PCI Security Standards Council on Thursday released the wireless security guide, which was developed by its special interest group (SIG) on wireless technologies. The 28-page PCI DSS Wireless Guideline analyzes applicable PCI DSS requirements and provides recommendations for implementation.

"The purpose of this guide is to provide clarity to a number of people who need it," said Doug Manchester, director of product security for San Jose, Calif.-based VeriFone Holdings Inc., and chairman of the wireless SIG. For example, someone operating a dry cleaner may easily set up a wireless network, but he/she may need help understanding how the PCI DSS applies to it, he said.

The guide focuses on Wi-Fi technology because it's widely deployed for payment card transactions, he said: "Wi-Fi seemed the most pressing objective." He added that the SIG would next like to address Bluetooth, a wireless protocol that's also heavily used for payment card transactions.

PCI DSS: MasterCard increases PCI compliance requirements for some merchants: Company now requires merchants that process one million to six million transactions annually to have onsite assessment by a PCI QSA. Visa says it won't follow suit. How to implement PCI network segmentation: When trying to comply with PCI DSS, network segmentation can be a tricky subject. In this expert response, Mike Chapple explains how to separate payment system's credit card processes.

A top priority for the wireless SIG was to address the issue of what's in the PCI standard's scope as it relates to wireless and what's not in scope, Manchester said. Recommendations in the wireless security guide include changing default settings, not relying on virtual LANs for WLAN segmentation, and maintaining a hardware inventory to ensure no rogue WLANs are installed. The paper includes graphics and flow charts.

"The overarching objective here is to facilitate secure processing," Manchester said. "Wireless is here to stay and we want to give everyone an equal opportunity to take advantage of the technology."

More than 40 organizations representing merchants, point-of-sale vendors, banks and network security companies were involved in the wireless SIG. The PCI SSC, which manages the PCI standard, formed the wireless SIG last summer. The council also has SIGs that focus on scoping, virtualization, and pre-authorization; the wireless one is the first to publish its work.

Cybercriminals have exploited vulnerabilities in wireless networks to steal credit card data, highlighting the need for wireless security. The 2007 breach at TJX Companies Inc., which exposed at least 45.7 million credit and debit cards to potential fraud, involved lax WLAN security, according to investigators. They found that hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems. Investigators said TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older and easily cracked security standard that was replaced by Wi-Fi Protected Access (WPA). It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2, which uses the Advanced Encryption Standard.

SearchSecurity radio:

PCI DSS v1.2 requires organizations to discontinue using WEP as of June 30, 2010 and switch to improved encryption and authentication such as the IEEE 802.11i standard.

Roger Nebel, an independent PCI DSS auditor and director of strategic security at Baltimore, Md.-based FTI Consulting Inc., said the technical recommendations in the PCI wireless security guide are solid and, if implemented, should improve wireless security.

"The main issue remains that implementing these recommendations will be relatively costly for many merchants as they will need to replace older WEP-only technology by June 2010," he said. Merchants are faced with the expense of buying newer hardware and software in a tight economic environment, he added.

Manchester said cost was one of the considerations in developing the guide. He said the paper is designed to offer options such as segmentation and "not put the burden necessarily on the merchant to make big investments in equipment."

Tags: Wireless Network Protocols and Standards,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 3: How to implement secure access Wireless Security Lunchtime Learning Entrance Exam PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary