Meeting the new PCI wireless requirements

Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats.

Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats.

Since the PCI DSS Wireless Guidelines were published in July 2009, vendors have been trotting out tools to prove compliance with the PCI wireless requirements. Here are a handful of issues merchants should consider as they review PCI wireless scanning tools trying to find the best match for their requirements.

* Requirements to meet. Certain PCI wireless requirements are universal regardless of whether a WLAN is deployed and whether or not a WLAN is inside or outside the cardholder data environment (CDE). However, a few other additional PCI wireless requirements need to be met if a WLAN is deployed inside the CDE for purposes such as use of wireless POS terminals, inventory management, etc. During selection of a particular PCI wireless solution, merchants should be careful to ascertain if the solution is capable of satisfying all wireless requirements applicable to the site(s) in consideration.

* Automated or manual. PCI wireless compliance solutions can be automated or manual. An automated solution, generally referred to as WIPS (Wireless Intrusion Prevention Systems), consists of wireless sensors deployed at a merchant’s site. These sensors sniff the surrounding airspace for available wireless information, and send it to a central server over the network. The central server, in turn, has an engine to correlate and mine the obtained information to dig out relevant data required for PCI requirements.

Manual solutions involve use of handheld analyzers which need to be carried around the merchant’s site to collect data, which is then interpreted manually or fed to an engine to dig out relevant data. Naturally, a manual approach of achieving PCI wireless compliance is slow, tedious and can be error-prone compared to an automated one. Also, a manual approach cannot achieve 24x7 detection of wireless threats, which is a significant advantage of an automated solution. PCI wireless guidelines also recommend the use of WIPS/WIDS systems as an effective method to achieve wireless PCI compliance for organizations with large number of distributed sites because manual wireless scanning does not scale and can prove costly.

* Cost and SaaS options. Prices of the tools vary greatly. A few vendors have introduced SaaS offerings for PCI wireless solutions. These are typically low cost when compared to independent solutions and can be helpful for merchants looking for cost-effective solutions or shops that don’t have dedicated IT support.

* Reporting capabilities. Collating proof of compliance across all sites is a challenge. PCI wireless solutions which do not provide a clear and detailed PCI compliance report for any given site and across multiple sites are incapable of establishing in an audit whether the CDE met the applicable wireless requirements. A comprehensive report also helps in speeding of an audit process as all the required information will be readily available in report.

* Configuration and management. Many retail chains often lack dedicated IT support at remote sites, hence the PCI wireless solution should be easy to configure and maintain, even without trained IT staff. Also, from management point of view, the solution should accurately detect wireless threats because generation of false alerts can cause considerable problems. False alerts also crop up in the audit process because merchants have to segregate and account for each one. In fact, false alerts can make a merchant’s site non compliant. Thus, ideally, the solution should be plug-and-play and require minimal human intervention for day-to-day operation.

* Scalability. A merchant with multiple, geographically distributed sites should also consider the scalability of PCI wireless solution. A scalable tool can be easily deployed at multiple sites and be easily extended to new sites. Also, a merchant who is planning to deploy WiFi for its CDE operations in the future should consider a solution which can be easily scaled to a version suitable for wireless requirements applicable to the case where WiFi is deployed as the part of CDE.

* Cover the common vulnerabilities/threats. There are number of known wireless threats and vulnerabilities. Thus, the compliance solution should cover all of them or at least the most important ones, such as Rogue AP, HoneyPot AP, Mis-configured AP, Mis-associations, Unauthorized associations, etc. When solutions claim detection of a particular threat, merchants need to make sure all aspects/possibilities of that threat are covered. For example, all forms of rogue access points should be covered, including rogues configured in software or rogues configured using a commercially available AP. Further, the solution should be easily upgradeable to cover newly discovered vulnerabilities/threats.

* Robust device classification. PCI wireless solutions that have comprehensive classification engine require fewer inputs from the merchants about the inventory. Classification policies provided in the engine should automatically classify various devices scanned over the air into various categories, such as Rogue Devices, External Devices, etc., thus providing complete visibility of wireless devices using the air space of the merchant’s site. PCI wireless guidelines also recommend evaluation of automatic device classification capabilities when evaluating options for PCI wireless compliance solutions.* Automatic prevention. Merchants should also consider automatic prevention capabilities for detected threats. Incident response to a wireless security incident is one of the requirements in the PCI DSS, and having sound automatic prevention enables merchants to quickly and easily respond to detected threats and prevent considerable damage.

* Location tracking. Location tracking of capabilities helps identify the location of wireless devices and facilitate removal. Also, location tracking helps tracking inventory of wireless devices.

With a number of options available for PCI wireless compliance available today, merchants should ensure they do not get trapped by an inexpensive but ineffective solution. The trap can eventually lead to the merchant bearing the cost of non-compliance, which is large.

Ajay Kumar Gupta is Team Lead for Product Development at AirTight Networks. AirTight Networks specializes in wireless security and performance management. It provides customers cutting-edge Wireless Intrusion detection and Prevention (WIPS) solutions to automatically detect, classify, block and locate current and emerging wireless threats.

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags SaaSNetworkingwirelessIPSIT managementcloud computingSoftware as a serviceinternetPCI DSSIDSsecurityWi-Fi Securityvisalegalsoftwareendpoint securityregulatory compliancecybercrimecompliance

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ajay Kumar Gupta

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?