GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Tough love in compliance and breach liability

News

Industry Update

Visa consolidates, restructures

Cabbies roll with VeriFone terminals

Negotiating the wireless security minefield

SPVA broadens membership base with global players

Features

AgenTalkSM:
Esteban Marin

MWAA raises the conference bar year by year

Embry enters payment hall of fame

ControlScan extends involvement with ETA

Selling Prepaid

Prepaid in brief

Financial storm perfect for prepaid?

Keeping patients sticky

Triumphs and travails of kiosk deployments

Views

Community counts

Biff Matthews
CardWare International

Consumers love rewards, why don't sales reps?

Lori Breitzke
VeriFone

Education

Street SmartsSM:
The proper approach to MLS hunting

Jon Perry and Vanessa Lang
888QuikRate.com

Seven reasons to avoid exclusivity

Adam Atlas
Attorney at Law

A case for case histories

Nancy Drexler
SignaPay Ltd.

The MLS opportunity

Christian Murray
Global eTelecom Inc.

Call reluctance: Diagnose it and treat it

Jeff Fortney
Clearent LLC

Digging into PCI:
Part 1 - Securing the network

Tim Cranny
Panoptic Security Inc.

Company Profile

First National Merchant Solutions

New Products

Advertise for free processing

UpClick
UpClick

Purchasing made easy and secure

codeOne
M-CodeOne

Inspiration

As in work, so in life

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

August 10, 2009  •  Issue 09:08:01

previous next

Negotiating the wireless security minefield

In July 2009, the pci PCI Security Standards Council's Wireless Special Interest Group (SIG) published an information supplement on how the Payment Card Industry (PCI) Data Security Standard (DSS) applies to wireless retail environments and what practical methods and concepts should be implemented to secure wireless devices in those environments.

"Wi-Fi has made a large penetration into the wireless POS market and we felt there was a need to define a common set of concepts and vocabulary," said Doug Manchester, Director of Product Security for VeriFone and the Wireless SIG Chairman. "So the very first thing we needed to do in the SIG was help merchants and auditing people understand what is inside and outside the scope of the wireless environment.

"We want to educate everyone that is under the DSS compliance umbrella what issues they will have to deal with because of the prevalence of wireless technology today and the potential for it to be used in a nefarious method."

Raising the scope

The SIG was formed in 2008 by the PCI Security Standards Council (PCI SSC) to investigate wireless technology, make specific recommendations to increase its security in accordance with the PCI DSS and reduce the potential for wireless implementations to be entry points for attacks on networks containing cardholder data.

The SIG's wireless operational guide for complying with the PCI DSS is broken down into two primary categories:

The SIG recommends all organizations institute the requirements specified in the first category to protect their networks from attacks via rogue or unknown wireless access points and clients. The "in-scope" requirements are specifically for organizations that transmit payment card information over wireless networks.

Leveling the field

"The paper is designed to provide a common nomenclature for the merchant, the Qualified Security Assessors [QSAs], ISOs and financial institutions so that everyone is speaking the same language and is on the same page," said Troy Leach, Technical Director, PCI SSC. "It's really about trying to draw together a common understanding so that ISOs, merchants and financial institutions can talk on a level playing field with the assessors.

"The council is focused on providing documentation guides to flesh out what these requirements mean. A lot of folks think of the wireless environment as just requirement four - wireless transmission of cardholder data over public networks - but there are requirements in all 12 domains that are applicable to wireless."

To help supplement the Wireless SIG's paper, the PCI SSC opened its two-and-a-half day QSA training workshop to all payment professionals and merchants. "It's very core technology that is discussed, but I think it's another demonstration on our part that we are trying to work with everyone and educate them on how to appropriately secure cardholder data over wireless transmissions," Leach added.

Lowering the confusion

Up until now, merchants and payment professionals misunderstood the wireless requirements of PCI, Manchester said. Therefore, the PCI SSC wanted the SIG to provide clarity in this arena. Manchester feels the guidelines take the best current security practices for wireless and extend them into actual working scenarios that ISOs and merchants might encounter.

"Wireless is going to be moving into a non-linear growth phase," Manchester said. "Payment solutions on wireless devices have existed since 2005. Now there aren't huge volumes of that.

"But what has happened - especially in the case of Wi-Fi - is this proliferation of hot spots like coffee houses, grocery stores, airports, buses and trains. So the decision was made by all participants in the SSC that the time has come to get out there and get this tuned before we hit critical mass."

For more information, visit www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services