Thursday, September 8, 2011
"As any security professional will tell you, there is no such thing as an absolute security – there will always be an evolution of attack sources and methods," said Al Hannagan, Senior Vice President of Internal Risk and Compliance at Trustwave Holdings Inc., a provider of on-demand data security and PCI compliance management. "However, there is a concept of reasonable security, whereby the means of securing the data make it either cost or time prohibitive for the attacker." Hannagan said leading wireless security methods are now good enough to provide a "reasonable level of security" for stored personally identifiable information. "A properly implemented wireless system can be compliant with the current PCI DSS requirements," he noted.
The wireless guidelines, formulated by the Wireless Special Interest Group (SIG) and first published by the PCI Security Standards Council (PCI SSC) in July 2009 as a supplement to the PCI DSS, were created to help companies limit PCI DSS scope on wireless networks and advise on how to deploy secure wireless payments. "Wireless networks continue to be an easy target for data compromise, especially as new devices are added to these devices," PCI SSC General Manager Bob Russo said. "This resource remains an important tool for understanding how to secure your payment card data when using wireless technologies."
The PCI DSS has three cardholder data environment (CDE) classifications for wireless payments: CDEs with no known wireless local area network (WLAN), CDEs with a known WLAN access point (AP) outside the CDE, and a known WLAN AP inside the CDE.
The wireless guidelines recommend changing default passwords and enabling a wireless encryption program known as Wi-Fi protected access (WPA). The guidelines also suggest setting up APs in WPA or WPA2 mode and limiting access to only wireless devices known by the local network. The guidelines mandate wireless logs be archived for a year, reviewed daily, and that each organization should have clearly stated use policies.
The updated guidelines require a firewall be erected between the CDE and the environment outside the network. The firewall should be able to filter packets, inspect connections, and monitor and log traffic allowed and denied by the firewall.
The SIG also advises checking for rogue access points, even if the network has no known authorized access points. The supplement recommends using a wireless analyzer or a wireless intrusion detection/prevention system to check the network for rogue access points.
Additionally, the guidelines offer recommendations for security when using Bluetooth technology, as well as best practices for testing and finding unauthorized wireless access points to local networks. This is the first update to the council's guideline for secure wireless payments technology.
Headed by VeriFone Holdings Inc. Director of Product Security Doug Manchester, the SIG had more than 40 organizations working on the final guidelines. The group included POS vendors, network security companies, acquiring banks and merchants. The supplement adds no additional requirements to the PCI standards, and it endorses no individual technologies.
Tim Cranny, President and Chief Executive Officer of security and PCI compliance company Panoptic Security Inc., agreed with Hannagan's assessment of the wireless guidelines.
"Secure wireless is one of the more challenging areas," he said. "Can wireless be PCI compliant? Yes. But it is more difficult. It's easy when you have a wired, static topology. When you have a contained environment, the network security is relatively easy. Wireless is more difficult."
Cranny explained that wireless systems remain difficult because of "ease dropping" possibilities, where thieves can literally pluck transmitted information right out of the air. This ability emphasizes the need for end-to-end encryption, he said, adding that good encryption solutions are available to secure wireless network. "The boring, obvious choice is almost always a good one," he said.
Cranny warned wireless payment providers to stay away from the once popular, but seriously flawed, wireless equivalent privacy (WEP) technology and focus instead on WPA and, even better, WPA2 security.
"The new guidelines are saying, upfront, WEP is unacceptable," Cranny said. "The new guidelines are not revolutionary. They offer clarification and more insight."
The PCI DSS Wireless Guidelines Information Supplement can be accessed at www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.