In July, the PCI Security Standards Council released its "PCI DSS Wireless Guidelines" (.pdf), which provide details on how organizations that use or seek to implement 802.11 Wi-Fi networks can ensure they are compliant with the Payment Card Industry Data Security Standard (PCI DSS).
Establishments with improperly secured or unsecured wireless connections have long been a favorite target of digital thieves looking to gain access to merchant data. Attacks against merchants are bad, not only for businesses, but also for the people whose credit card numbers get pilfered.
The wireless guidelines offer installation suggestions on how to limit the PCI DSS wireless scope as well as practical methods for deployment of secure wireless networks in payment environments. The guidelines also detail some best practices enterprises should put in place to integrate security into an existing Wi-Fi network and subsequently pass a PCI DSS audit.Solution provider opportunities surrounding PCI DSS and wireless
The hardest aspect of PCI DSS compliance for customers is often maintaining compliance, as it requires constant vigilance. For this reason, the PCI DSS wireless guidelines present a significant and recurring revenue opportunity for solution providers.
Offering a comprehensive wireless security assessment is a good way to get a foot in the door. This type of assessment can include:
- Use of wireless sniffing equipment to identify and categorize all 802.11 traffic emanating from a given site.
- A survey of the radio emissions from wireless equipment, which allows a map to be generated that indicates the locations of the access points and the ranges and locations that attacks can be initiated.
- Assessment of the wireless network topology.
- Verification of network settings; determine whether encryption services have been correctly implemented and that default security settings have been changed.
- Enumeration of wireless IP devices and networks.
- A deliverable for the client documenting the current state of wireless network security and recommendations for improvement.
- A review (and update, if necessary) of wireless security policies.
- A wireless penetration test.
Such an assessment provides customers with a complete review of their wireless network architecture, and in turn better prepares them for PCI DSS compliance audits. Many companies simply don't know if their employees or vendors have installed wireless components attached to their internal networks. These assessments often uncover such rogue wireless devices.
By identifying the risks associated with a wireless network infrastructure, a solution provider can find and mitigate the vulnerabilities that would otherwise enable attackers to access the customer's privileged merchant networks and resources.
Some of the many other service opportunities around wireless PCI DSS compliance include:
- Gap analysis: Determine where the gaps in wireless compliance are. An example of this type of service would be seeing that the company's policy is not to broadcast the SSID, but finding that it is indeed set to broadcast.
- Design review: Evaluate the client's wireless networks to determine whether it is compliant with PCI DSS, and document a recommended migration strategy for non-compliant wireless networks to meet PCI DSS requirements.
- Wireless scan: A scan for rogue wireless devices, which is a part of the assessment detailed above, should be a no-brainer. Software tools such as those offered by AirDefense Inc. or AirMagnet Inc. can make the process easier. These tools provide a wireless intrusion prevention system (WIPS). They are used to monitor the airwaves and help handle wireless issues, including rogue detection, performance monitoring, wireless troubleshooting and more.
- Secure wireless access point (WAP) configuration: Ensure the WAP is configured to provide the best possible security; misconfigurations often provide opportunities for attackers to break into the secure internal network.
Remember that the PCI DSS Wireless Guidelines note that an entity must comply with the requirements even if it doesn't use wireless as part of its cardholder data environment. Any customer that must comply with PCI DSS must also comply with the wireless guidelines, and that's something the channel can help customers understand.About the author:
Ben Rothke CISSP, PCI QSA, is a Senior Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).