GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Square: Passing fad or market changer?

Patti Murphy
ProScribes Inc.


Industry Update

PCI update addresses holes in wireless security

SmartMetric initiates suit against Visa, MasterCard

Eight payment companies on Inc. 500

Is self learning the next step in the fraud fight?

Trade Association News


An interview with Alex Goretsky

Ken Musante
Eureka Payments LLC

Research Rundown

Alternative payments in the mobile space

Alex Grinberg

Envisioning an advertising-sponsored mobile payment network

Richard K. Crone
Crone Consulting LLC

Website in your pocket

Selling Prepaid

Prepaid in brief

Mobile prepaid builds bridge for underbanked

FTC redresses consumers for prepaid card scam


Debit after Durbin

Patti Murphy
ProScribes Inc.

A fresh perspective on POS innovation

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
PCI essentials for MLSs

Bill Pirtle
MPCT Publishing Co.

How to plan your dream life

Dale S. Laszig
Castles Technology Co. Ltd.

ISOs and social media: Staying in compliance

Adam Atlas
Attorney at Law

10 tips for building a stronger LinkedIn profile

Marc W. Halpert
Your Best Interest LLC

Making use of receipt real estate

Stephen Enfield
POS Supply Solutions

Peering into payments' not so crystal ball

Nicholas Cucci
Network Merchants Inc.

Company Profile

Point of Sale System Services Inc.

New Products

A gateway to profit

Nationwide Payment Solutions LLC


Your merchant ground control unit



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

September 26, 2011  •  Issue 11:09:02

previous next

PCI update addresses holes in wireless security

Commenting on the release of an update to the PCI DSS Wireless Guidelines Information Supplement, security experts agreed that securing wireless payment networks is possible but more difficult than securing hardwired networks. Despite having more potential security holes, wireless networks can still meet the Payment Card Industry (PCI) Data Security Standard (DSS) requirements, according to the experts.

"As any security professional will tell you, there is no such thing as an absolute security - there will always be an evolution of attack sources and methods," said Al Hannagan, Senior Vice President of Internal Risk and Compliance at Trustwave Holdings Inc., a provider of on-demand data security and PCI compliance management. "However, there is a concept of reasonable security, whereby the means of securing the data make it either cost or time prohibitive for the attacker." Hannagan said leading wireless security methods are now good enough to provide a "reasonable level of security" for stored personally identifiable information. "A properly implemented wireless system can be compliant with the current PCI DSS requirements," he noted.

Take care with CDEs

The wireless guidelines, formulated by the Wireless Special Interest Group (SIG) and first published by the PCI Security Standards Council (PCI SSC) in July 2009 as a supplement to the PCI DSS, were created to help companies limit PCI DSS scope on wireless networks and advise on how to deploy secure wireless payments. "Wireless networks continue to be an easy target for data compromise, especially as new devices are added to these devices," PCI SSC General Manager Bob Russo said. "This resource remains an important tool for understanding how to secure your payment card data when using wireless technologies."

The PCI DSS has three cardholder data environment (CDE) classifications for wireless payments: CDEs with no known wireless local area network (WLAN), CDEs with a known WLAN access point (AP) outside the CDE, and a known WLAN AP inside the CDE.

The wireless guidelines recommend changing default passwords and enabling a wireless encryption program known as Wi-Fi protected access (WPA). The guidelines also suggest setting up APs in WPA or WPA2 mode and limiting access to only wireless devices known by the local network.

The guidelines mandate wireless logs be archived for a year, reviewed daily, and that each organization should have clearly stated use policies.

Watch out for rogue Aps

The updated guidelines require a firewall be erected between the CDE and the environment outside the network. The firewall should be able to filter packets, inspect connections, and monitor and log traffic allowed and denied by the firewall.

The SIG also advises checking for rogue access points, even if the network has no known authorized access points. The supplement recommends using a wireless analyzer or a wireless intrusion detection/prevention system to check the network for rogue access points.

Additionally, the guidelines offer recommendations for security when using Bluetooth technology, as well as best practices for testing and finding unauthorized wireless access points to local networks. This is the first update to the council's guideline for secure wireless payments technology.

Headed by VeriFone Holdings Inc. Director of Product Security Doug Manchester, the SIG had more than 40 organizations working on the final guidelines. The group included POS vendors, network security companies, acquiring banks and merchants. The supplement adds no additional requirements to the PCI standards, and it endorses no individual technologies.

Stay away from WEP

Tim Cranny, President and Chief Executive Officer of security and PCI compliance company Panoptic Security Inc., agreed with Hannagan's assessment of the wireless guidelines.

"Secure wireless is one of the more challenging areas," he said. "Can wireless be PCI compliant? Yes. But it is more difficult. It's easy when you have a wired, static topology. When you have a contained environment, the network security is relatively easy. Wireless is more difficult."

Cranny explained that wireless systems remain difficult because of "eavesdropping" possibilities, where thieves can literally pluck transmitted information right out of the air. This ability emphasizes the need for end-to-end encryption, he said, adding that good encryption solutions are available to secure wireless networks. "The boring, obvious choice is almost always a good one," he said.

Cranny warned wireless payment providers to stay away from the once popular, but seriously flawed, wireless equivalent privacy (WEP) technology and focus instead on WPA and, even better, WPA2 security.

"The new guidelines are saying, upfront, WEP is unacceptable," Cranny said. "The new guidelines are not revolutionary. They offer clarification and more insight."

The PCI DSS Wireless Guidelines Information Supplement can be accessed at

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios