Clarifying, Somewhat, The PCI Wireless Security Standards

Written by David Taylor
July 22nd, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

The Wireless Special Interest Group of the PCI SSC has just issued a set of guidelines to help companies ensure that their wireless networks are secure and effectively segmented to limit the potential for damage to the cardholder data environment if a portion of the wireless network should be compromised.

(Related story: our coverage of the new PCI wireless guideline document itself.) Given that such a compromise resulted in the TJX breach and many others, the document provides some very worthwhile guidance. OK. So it’s a good document. What’s the point of writing about an implementation guideline beyond telling people to read it? Actually, there are three points that I think are worth making relative to wireless security, based on our PCI best practices research:

  • A wireless IDS/IPS is still not mandated
    One of the technical controls that was introduced with PCI DSS 1.2 is the wireless IDS/IPS. It’s listed as an option, with the other option being to manually carry a laptop around corporate and stores running wireless networks on a quarterly (or more frequent) basis and see whether any networks appear that the security person (if any) does not recognize.

    Although it’s certainly understandable that, for SMEs, the cost of a wireless IDS/IPS can be prohibitive, this is the sort of technology that should be mandatory for larger (i.e., Level 1 and 2) companies. That is not only because of the time and effort that it saves, but also because it can be extremely difficult to spot “rogue” or malicious networks in dense urban areas, shopping malls and large multi-company facilities.

    Beyond the analytics provided by such automated tools, it is also necessary for the company to maintain accurate device inventories and implement a thorough remediation process. But the point here is that the labor intense the wireless network detection process is, the less often it’s going to be performed, and the less value it’s going to deliver in terms of early breach detection.

  • Separating “Rogue” from “Malicious” WLANs
    One of the aspects of wireless security that I wish this implementation guideline covered in more detail is the detection of rogue wireless networks, especially at the store level. An increasingly common hack is for criminals to find live, open network plugs in the backend of retail stores and plug in small, discreet wireless access points, which can allow them to bypass some network segmentation controls, and remotely gather information.

    Whether in this document or another document, it would be a very useful guideline to help IT managers and even store managers know what to look for physically as well as technically. Although PCI QSAs are very experienced in looking for these hacks, many self-assessors rely heavily on simple network scans and do not do a physical inventory of all network access points at all stores to see what’s plugged into them.

    In addition, it is very rare for the results of the wireless network scans to be compared with an accurate store-level IT device inventory, because most are out of date or do not reflect the myriad different wireless network pilots, implemented by multiple local and regional vendors as well as corporate.

    The result is that a store manager or IT manager from corporate or a regional office may not be able to tell whether a new wireless network was installed by a legitimate vendor or was installed surreptitiously. Since most store or regional IT managers are reluctant to simply unplug a device (due to the risk of messing up a business application), malicious wireless network devices may be left in place for weeks or months at a time.

  • advertisement

    One Comment | Read Clarifying, Somewhat, The PCI Wireless Security Standards

    1. Samir Palnitkar Says:

      David makes some very good points here. As described in the wireless guidelines document, a wireless IDS/IPS is really the only practical way to achieve PCI compliance. Walkaround audit are expensive, unreliable and not scalable. Traditional, onsite wireless IDS/IPS systems have often come with a high price tag and only a few large organizations can afford them.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.