WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2

In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:

• Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example.
• Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks.
• Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.

Using WEP encryption to "protect" a wireless network is a bad idea, and that fact shouldn't be news to anyone. Researchers have repeatedly discovered new flaws in WEP. The use of WEP encryption was also responsible for the well-known TJX Companies Inc. breach, one of the largest thefts of credit card information in history. Up until now, the PCI DSS allowed the use of WEP encryption with the presence of compensating controls, including quarterly key rotation, MAC-based host restrictions, and the use of supplemental encryption.

For smaller networks, WPA-secured networks and 802.1x, authentica...

Converting to WPA
WPA has been standard technology on all wireless equipment manufactured since September 2003. For those using such equipment, converting to WPA may be as simple as changing a setting on the wireless access points and reconfiguring networked devices to access the new WPA network. However, for those using obsolete or specialized hardware, this change may not be so simple; you may need to get the manufacturer involved.

The good news is that everybody's in the same boat. Manufacturers that wish to support payment card applications must also support WPA encryption if they intend to continue serving the payment card industry. The bad news is that nobody requires vendors to retrofit existing equipment to accommodate the upgrade. Companies may find themselves sitting on a lot of expensive but obsolete hardware, with no option other than upgrading it or ripping it out piece by piece.

Going "enterprise"
The second task is a bit more subtle and tends to be ignored in the initial analysis of PCI DSS 1.2. The summary states: "Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11i) using strong encryption for authentication and transmission." But what does PCI DSS 1.2's reference and recommendation "industry best practices" for authentication mean for enterprise security managers?

From my perspective, it means that the use of a pre-shared key is not permissible in all but the smallest and most well-controlled environments. Rather than using the authentication method of the simpler WPA-Personal mode, where every device on the network uses a single shared secret key, individual machine-based or user-based authentication should be put in place to protect network access. The use of WPA-Enterprise technology allows individual users or devices to be provisioned and de-provisioned without reconfiguring the entire network. It's clearly a good security practice, but it can be difficult to implement for those who don't have experience with it.

Enterprises that are already running a RADIUS and Active Directory environment may be able to simply tie it in to the wireless infrastructure using 802.1x. Essentially, WPA-Enterprise allows you to avoid the security problems associated with a pre-shared key. Instead of all users sharing a single key, WPA-Enterprise uses 802.1x to access an external authentication server to validate access requests using the credentials of individual users. Those that don't have this technology in place will need to think about the best way to deploy WPA-Enterprise in their environments.

For example, you'll probably want to first ensure that both your wireless infrastructure (access points, controllers, etc.) support WPA-Enterprise and then ensure that your wireless devices (laptops, PDAs, etc.) are also compatible. You'll then need to decide the appropriate authentication back end for your environment. In most Microsoft shops, you'll want to configure RADIUS to authenticate against an existing Active Directory. Otherwise, you'll need to find another source of user authentication data and integrate it with your RADIUS server.

Finally, you'll need to devise a rollout strategy. One common approach is to stand up the WPA-Enterprise network alongside your existing wireless networks and allow users a transition period of several weeks before shutting off the legacy network. For more practical advice on deploying WPA-Enterprise, read Controlling WLAN access on a tight budget.

Summing up
The new wireless requirements imposed by PCI DSS 1.2 aren't a surprise to payment card security professionals. We've been expecting them ever since the first release of PCI DSS 1.0, and they represent best practices in wireless security. The time has now come to comply, and the council has set a clear deadline: June 2010. That might sound far away, but the best advice I can offer you is to start planning now. If the changes are simple, you'll finish way ahead of the deadline and have plenty of time to relax. However, if your infrastructure requires major changes, you'll have the necessary opportunity to plan and deploy those changes properly.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Wireless Network Security: Setup and Tools,   Wireless Network Protocols and Standards,   Enterprise Network Security,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Wired Equivalent Privacy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.