Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:28 PM
Connect Directly

PCI Group Spells Out Guidelines For Deploying PCI-Compliant WiFi

'Operator's guide' provides security recommendations for merchants, auditors

A working group of the PCI Security Standards Council has created a set of recommendations for wireless deployment that pick up where the PCI Data Security Standard (DSS) specifications leave off: the PCI DSS Wireless Guideline (PDF) provides specific suggestions for secure installation and procedures to ensure the WLAN meets PCI requirements.

Major data breaches that began with a WiFi hack like TJX today haunt retailers as cautionary tales of the dangers of a porous WLAN configuration. The PCI Wireless Special Interest Group -- made up of POS and security vendors, banks, and merchants including Capita, McDonald's, and Motorola -- was formed to provide merchants with steps for locking down their 802.11 WLANS in accordance with PCI DSS v1.2.

The document includes a step-by-step process for complying with PCI's wireless requirements.

"The guidelines are not a pass/fail grading system they are an operator's guide for merchants," says Doug Manchester, chair of the Wireless SIG and director of product security for VeriFone. "The guidelines are not adding any new control objectives nor any subordinate control objects" beyond the PCI specifications, he says.

The hope is that the guidelines will also clear up any misconceptions or confusion about PCI and WiFi. Some merchants, for example, assume that if no cardholder data travels across the wireless portion of their network, then their WiFi network is not subject to a PCI audit. "Wireless is always in the scope of the PCI assessment," says Troy Leach, technical director of the PCI Council. "Some merchants think that if cardholder data is not traversing wireless, it's not PCI ... but every [assessment] is looking at whether wireless has an opening for malicious activity.

"You have to be cognizant of the perimeter environment of cardholder data. Those perimeter devices must also be in the scope of the assessment, even if they are not in the scope of the standards," Leach says.

The document spells out nine PCI requirements for wireless, including scanning for rogue access points that may have set up shop on the WLAN, the physical security of AP's, the use of wireless intrusion prevention tools, the use of strong authentication and encryption, and setting and enforcing wireless usage policies. Bluetooth is not specifically covered in PCI DSS nor in the guidelines, but Manchester says that may change in the future.

"Our largest objective here to help people understand what is and what is not in-scope [of PCI] at the merchant level," he says. "We want to establish a shared vocabulary between the QSA and the merchant."

This would help, say, a mom-and-pop dry cleaner's that purchases a WPA2 wireless router to learn not to leave the default password, nor to broadcast their SSID, he says, as well as to spell out for them what a wireless IPS is.

The set of recommendations for segmenting WLANs that do not store, process, or transmit card data includes using a stateful packet-inspection firewall that blocks traffic from entering the cardholder data part of the network, and warns merchants not to use VLANs based on MAC address filters to segregate the WLANs. It says to monitor firewall logs each day and every six months, verify firewall rules.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-20
The my-wp-translate plugin before 1.0.4 for WordPress has XSS.
PUBLISHED: 2019-08-20
The my-wp-translate plugin before 1.0.4 for WordPress has CSRF.
PUBLISHED: 2019-08-20
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field.
PUBLISHED: 2019-08-20
The user-access-manager plugin before 1.2 for WordPress has CSRF.
PUBLISHED: 2019-08-20
The user-domain-whitelist plugin before 1.5 for WordPress has CSRF.