PCI Council Publishes Wireless Security Guidelines for Payment Cards
Any business accepting credit and debit cards -- and using or considering wireless LANs -- should carefully review the recommendations for use of 802.11 wireless access points that are detailed in the guidelines issued Wednesday by the Payment Card Industry Security Standards Council.
In the past, the council has issued standards that have become required by Visa, MasterCard, banks and others for secure processing of payment and debit cards. Troy Leach, the council's technical director, emphasized that the recommendations in the "PCI Data Security Standard (DSS) Wireless Guideline" are not mandatory for businesses handling payment cards and using WLANs. But he adds, "This is probably the way wireless should have been deployed all along."
And though not officially mandatory, the PCI guideline for WLAN deployments, which expands on the existing 12-part standard PCI DSS that is required, do point merchants in the direction the council thinks is optimum for protecting cardholder data.
The guideline was crafted by the council's Wireless Special Interest Group (SIG), chaired by Doug Manchester, director of product security at VeriFone Holdings, in a process that took more than half a year with 50 SIG participants.
Manchester, who notes the guideline is specifically for WLANs and doesn't include technologies such as BlueTooth (more wireless-technology guidelines can be expected in the future), says the goal was to clear up questions and establish a "common vocabulary."
"This guideline is for IT and network administrators on how to implement wireless," Manchester says, adding, "it's not new in terms of control objectives."
One basic control objective in processing cardholder data is to establish the "cardholder data environment (CDE)."
Specifically, the goal is to establish the scope of the CDE where cardholder data is transferred, processed or stored. The new guideline says that requires "a firewall that demarcates the edge of the organization’s CDE."
In addition, even if a business processing payment cards does not make use of wireless LAN access points at all, the council is recommending that the business regularly check for the presence of "rogue WLAN access points," defined as "an unauthorized wireless device that can allow access to the CDE."
To combat the problem of the rogue access point, businesses will need to use a wireless analyzer or preventative measures such as a wireless intrusion detection/prevention system (IDS/IDP) regularly in any CDE location, according to the council.
The council is advising large organizations to set up automated scanning using a centrally managed wireless IDS/IPS system. The goal should be to remove any rogue threat immediately and re-scan the environment continuously. The guidelines suggest quarterly scans each year to detect rogue wireless devices that could be connected to the CDE at any location and have an incident-response plan to deal with them.
Security
Receive the latest security news as it breaks.
