The Green Sheet Online Edition
August 10, 2009 • Issue 09:08:01
Negotiating the wireless security minefield
In July 2009, the pci PCI Security Standards Council's Wireless Special Interest Group (SIG) published an information supplement on how the Payment Card Industry (PCI) Data Security Standard (DSS) applies to wireless retail environments and what practical methods and concepts should be implemented to secure wireless devices in those environments.
"Wi-Fi has made a large penetration into the wireless POS market and we felt there was a need to define a common set of concepts and vocabulary," said Doug Manchester, Director of Product Security for VeriFone and the Wireless SIG Chairman. "So the very first thing we needed to do in the SIG was help merchants and auditing people understand what is inside and outside the scope of the wireless environment.
"We want to educate everyone that is under the DSS compliance umbrella what issues they will have to deal with because of the prevalence of wireless technology today and the potential for it to be used in a nefarious method."
Raising the scope
The SIG was formed in 2008 by the PCI Security Standards Council (PCI SSC) to investigate wireless technology, make specific recommendations to increase its security in accordance with the PCI DSS and reduce the potential for wireless implementations to be entry points for attacks on networks containing cardholder data.
The SIG's wireless operational guide for complying with the PCI DSS is broken down into two primary categories:
- Generally applicable wireless requirements
- In-scope wireless networks
The SIG recommends all organizations institute the requirements specified in the first category to protect their networks from attacks via rogue or unknown wireless access points and clients. The "in-scope" requirements are specifically for organizations that transmit payment card information over wireless networks.
Leveling the field
"The paper is designed to provide a common nomenclature for the merchant, the Qualified Security Assessors [QSAs], ISOs and financial institutions so that everyone is speaking the same language and is on the same page," said Troy Leach, Technical Director, PCI SSC. "It's really about trying to draw together a common understanding so that ISOs, merchants and financial institutions can talk on a level playing field with the assessors.
"The council is focused on providing documentation guides to flesh out what these requirements mean. A lot of folks think of the wireless environment as just requirement four - wireless transmission of cardholder data over public networks - but there are requirements in all 12 domains that are applicable to wireless."
To help supplement the Wireless SIG's paper, the PCI SSC opened its two-and-a-half day QSA training workshop to all payment professionals and merchants. "It's very core technology that is discussed, but I think it's another demonstration on our part that we are trying to work with everyone and educate them on how to appropriately secure cardholder data over wireless transmissions," Leach added.
Lowering the confusion
Up until now, merchants and payment professionals misunderstood the wireless requirements of PCI, Manchester said. Therefore, the PCI SSC wanted the SIG to provide clarity in this arena. Manchester feels the guidelines take the best current security practices for wireless and extend them into actual working scenarios that ISOs and merchants might encounter.
"Wireless is going to be moving into a non-linear growth phase," Manchester said. "Payment solutions on wireless devices have existed since 2005. Now there aren't huge volumes of that.
"But what has happened - especially in the case of Wi-Fi - is this proliferation of hot spots like coffee houses, grocery stores, airports, buses and trains. So the decision was made by all participants in the SSC that the time has come to get out there and get this tuned before we hit critical mass."
For more information, visit www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.