The PCI Security Standards Council recently announced the imminent release of the Payment Card Industry Data Security Standard (PCI DSS) version 1.2. This revision includes a number of changes, updates and clarifications that affect anyone involved in the storage, processing or transmission of credit card information. One of the major areas of change, however, involves the use of wireless networks to transmit cardholder data.
In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:
- Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example.
- Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks.
- Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.
Using WEP encryption to "protect" a wireless network is a bad idea, and that fact shouldn't be news to anyone. Researchers have repeatedly discovered new flaws in WEP. The use of WEP encryption was also responsible for the well-known TJX Companies Inc. breach, one of the largest thefts of credit card information in history. Up until now, the PCI DSS allowed the use of WEP encryption with the presence of compensating controls, including quarterly key rotation, MAC-based host restrictions, and the use of supplemental encryption.
The good news is that everybody's in the same boat... The bad news is that nobody requires vendors to retrofit existing equipment to accommodate the upgrade.
For smaller networks, WPA-secured networks and 802.1x, authentication may be a fairly trivial task to implement. In some cases, however, the work may require significant infrastructure and/or payment system upgrades.
Converting to WPA
WPA has been standard technology on all wireless equipment manufactured since September 2003. For those using such equipment, converting to WPA may be as simple as changing a setting on the wireless access points and reconfiguring networked devices to access the new WPA network. However, for those using obsolete or specialized hardware, this change may not be so simple; you may need to get the manufacturer involved.
The good news is that everybody's in the same boat. Manufacturers that wish to support payment card applications must also support WPA encryption if they intend to continue serving the payment card industry. The bad news is that nobody requires vendors to retrofit existing equipment to accommodate the upgrade. Companies may find themselves sitting on a lot of expensive but obsolete hardware, with no option other than upgrading it or ripping it out piece by piece.
The second task is a bit more subtle and tends to be ignored in the initial analysis of PCI DSS 1.2. The summary states: "Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11i) using strong encryption for authentication and transmission." But what does PCI DSS 1.2's reference and recommendation "industry best practices" for authentication mean for enterprise security managers?
From my perspective, it means that the use of a pre-shared key is not permissible in all but the smallest and most well-controlled environments. Rather than using the authentication method of the simpler WPA-Personal mode, where every device on the network uses a single shared secret key, individual machine-based or user-based authentication should be put in place to protect network access. The use of WPA-Enterprise technology allows individual users or devices to be provisioned and de-provisioned without reconfiguring the entire network. It's clearly a good security practice, but it can be difficult to implement for those who don't have experience with it.
Enterprises that are already running a RADIUS and Active Directory environment may be able to simply tie it in to the wireless infrastructure using 802.1x. Essentially, WPA-Enterprise allows you to avoid the security problems associated with a pre-shared key. Instead of all users sharing a single key, WPA-Enterprise uses 802.1x to access an external authentication server to validate access requests using the credentials of individual users. Those that don't have this technology in place will need to think about the best way to deploy WPA-Enterprise in their environments.
For example, you'll probably want to first ensure that both your wireless infrastructure (access points, controllers, etc.) support WPA-Enterprise and then ensure that your wireless devices (laptops, PDAs, etc.) are also compatible. You'll then need to decide the appropriate authentication back end for your environment. In most Microsoft shops, you'll want to configure RADIUS to authenticate against an existing Active Directory. Otherwise, you'll need to find another source of user authentication data and integrate it with your RADIUS server.
Finally, you'll need to devise a rollout strategy. One common approach is to stand up the WPA-Enterprise network alongside your existing wireless networks and allow users a transition period of several weeks before shutting off the legacy network. For more practical advice on deploying WPA-Enterprise, read Controlling WLAN access on a tight budget.
The new wireless requirements imposed by PCI DSS 1.2 aren't a surprise to payment card security professionals. We've been expecting them ever since the first release of PCI DSS 1.0, and they represent best practices in wireless security. The time has now come to comply, and the council has set a clear deadline: June 2010. That might sound far away, but the best advice I can offer you is to start planning now. If the changes are simple, you'll finish way ahead of the deadline and have plenty of time to relax. However, if your infrastructure requires major changes, you'll have the necessary opportunity to plan and deploy those changes properly.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.