PCI Council Releases Guidelines for Wireless Network Security

Nearly a year after ordering the phase-out of Wired Equivalent Privacy (WEP), a technology introduced in 1999 to protect data flowing over wireless networks, the PCI Security Standards Council this week released new guidelines for enhanced wireless security. The so-called Payment Card Industry data security standard wireless, written by the PCI Council's Wireless Special Interest Group, outlines requirements that card-accepting merchants need to use to protect their networks from attacks via rogue or unknown wireless access points and clients. It also says that all organizations that transmit payment card information via wireless technology should implement the guidelines. Each section of the paper, available on the PCI Council's Web site, contains a detailed list of requirements for meeting the guidelines, as well as outlining summary recommendations. Nine requirements are analyzed and summarized with recommendations for implementation. “This first-ever guide will help all in the payment chain, but particularly merchants, better understand the methods necessary to secure their wireless networks, or totally remove the networks from the scope of the DSS and the payment process,” Doug Manchester, director of product security for payment card terminal maker VeriFone Holdings Inc. and chairman of the Wireless Special Interest Group, said in a statement. Executives from the PCI Council were unavailable Friday morning to comment on whether the wireless guidelines will be incorporated into the next version of the PCI standard, the rules for protecting Visa, MasterCard, American Express, Discover, and JCB cards and transactions. Version 1.2 of the standard, officially released in October 2008, prohibited new WEP implementations after March 2009 and use of WEP technology by the end of this year (Digital Transactions News, Aug. 19, 2008). And earlier guidelines that cover PIN-entry devices (formally PIN Entry Device Security Requirements or PED) and point-of-sale hardware and software (Payment Application Data Security Standard or PA-DSS) later were incorporated into the overarching PCI standard. “The new guidelines provide greater specificity about wireless network security, an area where there are known vulnerabilities that hackers have exploited, most famously in the TJX data breach,” Tom Wills, senior analyst of security for fraud and compliance at Javelin Strategy & Research, tells Digital Transactions News via e-mail. Federal authorities say data breaches at TJX Cos. and other retailers happened when hackers went “war driving”?driving around commercial areas with laptops to find vulnerable wireless networks that might yield payment card numbers (Digital Transactions News, Aug. 6, 2008). The PCI standard is “essentially a checklist rather than a prescription for comprehensive information security,” Wills says. “Its lack of specificity has resulted in confusion on how to implement the standard. Therefore, spelling out the requirements in greater detail can only be helpful to overall information security.” The Wireless Special Interest Group is comprised of executives and others from more than 40 organizations, including POS terminal vendors, network security companies, merchant-acquiring banks, and large merchants.