PCI Group Spells Out Guidelines For Deploying PCI-Compliant WiFi

A working group of the PCI Security Standards Council has created a set of recommendations for wireless deployment that pick up where the PCI Data Security Standard (DSS) specifications leave off: the PCI DSS Wireless Guideline (PDF) provides specific suggestions for secure installation and procedures to ensure the WLAN meets PCI requirements.

Major data breaches that began with a WiFi hack like TJX today haunt retailers as cautionary tales of the dangers of a porous WLAN configuration. The PCI Wireless Special Interest Group -- made up of POS and security vendors, banks, and merchants including Capita, McDonald's, and Motorola -- was formed to provide merchants with steps for locking down their 802.11 WLANS in accordance with PCI DSS v1.2.

The document includes a step-by-step process for complying with PCI's wireless requirements.

"The guidelines are not a pass/fail grading system they are an operator's guide for merchants," says Doug Manchester, chair of the Wireless SIG and director of product security for VeriFone. "The guidelines are not adding any new control objectives nor any subordinate control objects" beyond the PCI specifications, he says.

The hope is that the guidelines will also clear up any misconceptions or confusion about PCI and WiFi. Some merchants, for example, assume that if no cardholder data travels across the wireless portion of their network, then their WiFi network is not subject to a PCI audit. "Wireless is always in the scope of the PCI assessment," says Troy Leach, technical director of the PCI Council. "Some merchants think that if cardholder data is not traversing wireless, it's not PCI ... but every [assessment] is looking at whether wireless has an opening for malicious activity.

"You have to be cognizant of the perimeter environment of cardholder data. Those perimeter devices must also be in the scope of the assessment, even if they are not in the scope of the standards," Leach says.

The document spells out nine PCI requirements for wireless, including scanning for rogue access points that may have set up shop on the WLAN, the physical security of AP's, the use of wireless intrusion prevention tools, the use of strong authentication and encryption, and setting and enforcing wireless usage policies. Bluetooth is not specifically covered in PCI DSS nor in the guidelines, but Manchester says that may change in the future.

"Our largest objective here to help people understand what is and what is not in-scope [of PCI] at the merchant level," he says. "We want to establish a shared vocabulary between the QSA and the merchant."

This would help, say, a mom-and-pop dry cleaner's that purchases a WPA2 wireless router to learn not to leave the default password, nor to broadcast their SSID, he says, as well as to spell out for them what a wireless IPS is.

The set of recommendations for segmenting WLANs that do not store, process, or transmit card data includes using a stateful packet-inspection firewall that blocks traffic from entering the cardholder data part of the network, and warns merchants not to use VLANs based on MAC address filters to segregate the WLANs. It says to monitor firewall logs each day and every six months, verify firewall rules.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.