For organizations that must be compliant with the Payment Card Industry Data Security Standard (PCI DSS), the duties of ensuring compliance typically fall to more than one person. The standard's many guidelines touch on numerous technologies, from identity management and authentication, to encryption, to system hardening and secure application coding.
Network security is also an important part of the mix, as firewalls and other network security technologies are essential in meeting several PCI DSS compliance requirements. One topic in particular that has received new attention from the PCI Security Standards Council in PCI DSS version 1.2, the update edition of the standard released last fall, is Wi-Fi network security.
In this article, we will look at the wireless network (802.11) security aspects of the PCI DSS and provide practical technical guidance to help network security professionals ensure their Wi-Fi networks are PCI compliant before the auditor shows up to render a final verdict.
PCI DSS 1.2: Guidance for wireless networks
PCI DSS version 1.2 includes detailed instructions that cover using and securing wireless networks. These requirements include provisions for the following:
Basic network security -- In addition to documenting the wireless network in a network drawing, PCI DSS 1.2 requires a stateful firewall be in place between wired and wireless networks, and that firewall rules exist to restrict access between wireless networks and sensitive servers. Vendor-supplied default passwords must be changed on all wireless devices. Finally, wireless log data must be sent to a PCI-compliant logging server.
Using encryption -- Strong wireless encryption must be used to protect cardholder data transmitted within the wireless LAN (WLAN). Version 1.2 mandates that the outdated and insecure WEP protocol is no longer used in new implementations as of Mar. 31, 2009, and is phased out entirely by June 30, 2010. Many wireless experts suggest migrating to WPA2, using AES 128-bit encryption. Given not only the compliance demand, but also the current state of wireless attacks, WEP should be eliminated as soon as possible and replaced with stronger solutions, such as WPA2.
Regularly scanning -- Networks should be scanned for wireless devices on a regular basis. Look for unauthorized or rogue access points. An enterprise-wide wireless IPS deployment will automate this requirement; manual wireless scanning is time consuming and many companies struggle with the logistics of getting it done within the timeframes mandated by PCI. However, manual scanning is acceptable with free tools such as Kisment, or with commercial tools such as Motorola Inc.'s Air Defense Mobile or AirMagnet Inc.'s WiFi Analyzer.
Provide secure wireless guest access -- Each enterprise should create a policy that specifies how employees, guests and contractors are allowed to use the WLAN. Most enterprises use a captive guest portal to force guest users to meet policy. A captive guest portal is typically a website hosted by the wireless gateway. When an unauthorized user tries to connect to a website via the Internet, the wireless system performs an HTTP hijack attack and takes the users traffic "captive." That traffic is redirected to the website hosted on the wireless gateway, where the unknown user is required to authenticate based upon the company's policy.
How to determine wireless PCI DSS compliance status
While the previous section likely pointed out a few areas where your enterprise may need to make some changes in order to ensure its wireless network is PCI DSS compliant, this next section points out the process that should be followed to determine if the corporate WLAN is both in the scope of PCI DSS and compliant to the standard.
Create your network diagram -- Start by creating, updating or reviewing a network diagram. This map should show the location and basic identifying information of any authorized wireless devices on the network. Then validate the network diagram using wireless scanning tools.
Map transaction flow -- The next step is to map the credit card data-processing transaction flow on the network diagram to determine if the WLAN is in the scope of PCI. Look at the flow diagram and see if wireless devices are used to transmit credit card data. If certain groups of Wi-Fi devices aren't part of the transaction process, consider whether it is possible to implement a network segmentation strategy that would remove those devices from the scope of a PCI DSS audit.
Determine PCI compliance level -- Once the scope of the wireless compliance initiative is determined, find out if individual devices and systems meet the specifications of the PCI DSS. Take note of any requirements that are not being met and why, and create a plan to systematically bring the entire WLAN up to spec.
Remediating wireless network compliance
Once the network has been assessed and evaluated, take the following steps to effectively remediate an enterprise wireless network for PCI DSS compliance:
Step 1: Review -- Audit configuration data from wireless devices, such as access points and wireless controllers. Put forth the operational steps required to disable WEP and enable WPA2.
Step 2: Aggregate -- Aggregate all wireless access points to a wireless firewall on a per-site basis. Each wireless access point must pass its data through a stateful firewall before traversing the internal network in any manner.
Step 3: Log -- Enable syslog on each wireless device and point the feed to the internal syslog server. Not only is this mandated by PCI, but it is also important to have visibility into the traffic that is transported via the wireless network.
Step 4: Remove -- If existing wireless infrastructure components cannot meet PCI DSS specifications, remove the wireless device(s). In most companies, Wi-Fi network usage is not mission-critical, just convenient.
PCI compliance is a continual process. The diligent wireless network administrator or security practitioner should take the initiative to create a process that ensures the wireless network will remain within PCI DSS compliance at all times.
About the author:
John Kindervag, CISSP, CEH, former QSA, CPISM and CCNA, is a senior analyst with Cambridge, Mass.-based research firm Forrester Research. A 25-year veteran of the tech industry, his focus areas include network and wireless security, security information management and PCI DSS data security. John is a contributor to Forrester's Blog for Security & Risk Professionals.
This was first published in April 2009