In early July, the wireless special interest group (SIG) of the PCI Security Standards Council published an information supplement on PCI Data Security Standards as they relate to wireless networks.
The PCI DSS Wireless Guideline is designed to help organizations understand how PCI DSS applies to wireless environments, how to limit the PCI DSS scope as it pertains to wireless, and practical methods and concepts for deployment of secure wireless in payment card transaction environments. The new paper is intended for organizations that store, process or transmit cardholder data that may or may not have deployed wireless LAN (WLAN) technology as well as assessors that evaluate PCI DSS compliance.
According to Douglas Manchester, director of product security for VeriFone and chairman of the wireless SIG, the group was formed as the use of wireless networks increased, along with a growing awareness of some of their security problems. The paper will give all players involved in operating wireless infrastructures for payments and data movement a common vocabulary with which to communicate about this topic. This awareness was especially critical as large data breaches via unsecured wireless networks made headlines over the past few months.
"This common vocabulary will help people understand what's within the scope of DSS," Manchester explains to BS&T. "If you operate within the cardholder data environment (CDE) with wireless devices, then your organization is within the scope of these guidelines."
According to the paper, the CDE is the computer environment wherein cardholder data is transferred, processed, or stored, and any networks or devices directly connected to that environment.
The problem is that rogue access networks can be introduced into a company's wireless environment. Without proper monitoring, these can exist undiscovered, he says. "You have to look at physical prevention, scan for access points and segment your wireless network. This means you intentionally keep that access point out of the cardholder environment. The guidelines take the requirements, the best practices and accompanies them with diagrams of common wireless set ups."
Troy Leach, the technical director with the PCI Security Standards Council, says since Wi-Fi is the most common wireless protocol, the implications for security and the processing of card data are significant. "Even small merchants are using wireless," he says. "These guidelines show IT managers what the PCI wireless requirements are intended to protect. [The paper] is for both merchants and [PCI compliance] assessors."
The wireless SIG consisted of 50 members at its peak but had a core of about two dozen "regulars," says Manchester. "They were all acting as meta advocates, a step above our individual businesses to reach consensus. It was nice to see this perspective as a group because wireless security ultimately helps all of us."