Merchants who need help in securing their wireless networks to comply with the PCI Data Security Standard now have a step-by-step guide.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The PCI Security Standards Council on Thursday released the wireless security guide, which was developed by its special interest group (SIG) on wireless technologies. The 28-page PCI DSS Wireless Guideline analyzes applicable PCI DSS requirements and provides recommendations for implementation.
"The purpose of this guide is to provide clarity to a number of people who need it," said Doug Manchester, director of product security for San Jose, Calif.-based VeriFone Holdings Inc., and chairman of the wireless SIG. For example, someone operating a dry cleaner may easily set up a wireless network, but he/she may need help understanding how the PCI DSS applies to it, he said.
The guide focuses on Wi-Fi technology because it's widely deployed for payment card transactions, he said: "Wi-Fi seemed the most pressing objective." He added that the SIG would next like to address Bluetooth, a wireless protocol that's also heavily used for payment card transactions.
How to implement PCI network segmentation: When trying to comply with PCI DSS, network segmentation can be a tricky subject. In this expert response, Mike Chapple explains how to separate payment system's credit card processes.
A top priority for the wireless SIG was to address the issue of what's in the PCI standard's scope as it relates to wireless and what's not in scope, Manchester said. Recommendations in the wireless security guide include changing default settings, not relying on virtual LANs for WLAN segmentation, and maintaining a hardware inventory to ensure no rogue WLANs are installed. The paper includes graphics and flow charts.
"The overarching objective here is to facilitate secure processing," Manchester said. "Wireless is here to stay and we want to give everyone an equal opportunity to take advantage of the technology."
More than 40 organizations representing merchants, point-of-sale vendors, banks and network security companies were involved in the wireless SIG. The PCI SSC, which manages the PCI standard, formed the wireless SIG last summer. The council also has SIGs that focus on scoping, virtualization, and pre-authorization; the wireless one is the first to publish its work.
Cybercriminals have exploited vulnerabilities in wireless networks to steal credit card data, highlighting the need for wireless security. The 2007 breach at TJX Companies Inc., which exposed at least 45.7 million credit and debit cards to potential fraud, involved lax WLAN security, according to investigators. They found that hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems. Investigators said TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older and easily cracked security standard that was replaced by Wi-Fi Protected Access (WPA). It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2, which uses the Advanced Encryption Standard.
PCI DSS v1.2 requires organizations to discontinue using WEP as of June 30, 2010 and switch to improved encryption and authentication such as the IEEE 802.11i standard.
Roger Nebel, an independent PCI DSS auditor and director of strategic security at Baltimore, Md.-based FTI Consulting Inc., said the technical recommendations in the PCI wireless security guide are solid and, if implemented, should improve wireless security.
"The main issue remains that implementing these recommendations will be relatively costly for many merchants as they will need to replace older WEP-only technology by June 2010," he said. Merchants are faced with the expense of buying newer hardware and software in a tight economic environment, he added.
Manchester said cost was one of the considerations in developing the guide. He said the paper is designed to offer options such as segmentation and "not put the burden necessarily on the merchant to make big investments in equipment."