Meeting the new PCI wireless requirements

Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats.

Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats.

Since the PCI DSS Wireless Guidelines were published in July 2009, vendors have been trotting out tools to prove compliance with the PCI wireless requirements. Here are a handful of issues merchants should consider as they review PCI wireless scanning tools trying to find the best match for their requirements.

* Requirements to meet. Certain PCI wireless requirements are universal regardless of whether a WLAN is deployed and whether or not a WLAN is inside or outside the cardholder data environment (CDE). However, a few other additional PCI wireless requirements need to be met if a WLAN is deployed inside the CDE for purposes such as use of wireless POS terminals, inventory management, etc. During selection of a particular PCI wireless solution, merchants should be careful to ascertain if the solution is capable of satisfying all wireless requirements applicable to the site(s) in consideration.

* Automated or manual. PCI wireless compliance solutions can be automated or manual. An automated solution, generally referred to as WIPS (Wireless Intrusion Prevention Systems), consists of wireless sensors deployed at a merchant’s site. These sensors sniff the surrounding airspace for available wireless information, and send it to a central server over the network. The central server, in turn, has an engine to correlate and mine the obtained information to dig out relevant data required for PCI requirements.

Manual solutions involve use of handheld analyzers which need to be carried around the merchant’s site to collect data, which is then interpreted manually or fed to an engine to dig out relevant data. Naturally, a manual approach of achieving PCI wireless compliance is slow, tedious and can be error-prone compared to an automated one. Also, a manual approach cannot achieve 24x7 detection of wireless threats, which is a significant advantage of an automated solution. PCI wireless guidelines also recommend the use of WIPS/WIDS systems as an effective method to achieve wireless PCI compliance for organizations with large number of distributed sites because manual wireless scanning does not scale and can prove costly.

* Cost and SaaS options. Prices of the tools vary greatly. A few vendors have introduced SaaS offerings for PCI wireless solutions. These are typically low cost when compared to independent solutions and can be helpful for merchants looking for cost-effective solutions or shops that don’t have dedicated IT support.

* Reporting capabilities. Collating proof of compliance across all sites is a challenge. PCI wireless solutions which do not provide a clear and detailed PCI compliance report for any given site and across multiple sites are incapable of establishing in an audit whether the CDE met the applicable wireless requirements. A comprehensive report also helps in speeding of an audit process as all the required information will be readily available in report.

* Configuration and management. Many retail chains often lack dedicated IT support at remote sites, hence the PCI wireless solution should be easy to configure and maintain, even without trained IT staff. Also, from management point of view, the solution should accurately detect wireless threats because generation of false alerts can cause considerable problems. False alerts also crop up in the audit process because merchants have to segregate and account for each one. In fact, false alerts can make a merchant’s site non compliant. Thus, ideally, the solution should be plug-and-play and require minimal human intervention for day-to-day operation.

* Scalability. A merchant with multiple, geographically distributed sites should also consider the scalability of PCI wireless solution. A scalable tool can be easily deployed at multiple sites and be easily extended to new sites. Also, a merchant who is planning to deploy WiFi for its CDE operations in the future should consider a solution which can be easily scaled to a version suitable for wireless requirements applicable to the case where WiFi is deployed as the part of CDE.

* Cover the common vulnerabilities/threats. There are number of known wireless threats and vulnerabilities. Thus, the compliance solution should cover all of them or at least the most important ones, such as Rogue AP, HoneyPot AP, Mis-configured AP, Mis-associations, Unauthorized associations, etc. When solutions claim detection of a particular threat, merchants need to make sure all aspects/possibilities of that threat are covered. For example, all forms of rogue access points should be covered, including rogues configured in software or rogues configured using a commercially available AP. Further, the solution should be easily upgradeable to cover newly discovered vulnerabilities/threats.

* Robust device classification. PCI wireless solutions that have comprehensive classification engine require fewer inputs from the merchants about the inventory. Classification policies provided in the engine should automatically classify various devices scanned over the air into various categories, such as Rogue Devices, External Devices, etc., thus providing complete visibility of wireless devices using the air space of the merchant’s site. PCI wireless guidelines also recommend evaluation of automatic device classification capabilities when evaluating options for PCI wireless compliance solutions.* Automatic prevention. Merchants should also consider automatic prevention capabilities for detected threats. Incident response to a wireless security incident is one of the requirements in the PCI DSS, and having sound automatic prevention enables merchants to quickly and easily respond to detected threats and prevent considerable damage.

* Location tracking. Location tracking of capabilities helps identify the location of wireless devices and facilitate removal. Also, location tracking helps tracking inventory of wireless devices.

With a number of options available for PCI wireless compliance available today, merchants should ensure they do not get trapped by an inexpensive but ineffective solution. The trap can eventually lead to the merchant bearing the cost of non-compliance, which is large.

Ajay Kumar Gupta is Team Lead for Product Development at AirTight Networks. AirTight Networks specializes in wireless security and performance management. It provides customers cutting-edge Wireless Intrusion detection and Prevention (WIPS) solutions to automatically detect, classify, block and locate current and emerging wireless threats.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SaaSNetworkingwirelessIPSIT managementcloud computingSoftware as a serviceinternetPCI DSSIDSsecurityWi-Fi Securityvisalegalsoftwareendpoint securityregulatory compliancecybercrimecompliance

More about AirTight NetworksIntrusionIPSLANVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ajay Kumar Gupta

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts