In July, the PCI Security Standards Council released its PCI DSS Wireless Guidelines (.pdf), which provide an excellent set of details on how organizations that use or seek to implement 802.11 Wi-Fi networks can ensure they comply with the PCI DSS requirements. While the Payment Card Industry Data Security Standard (DSS) specification provided the base details, many organizations found they needed more specifics on how WLANs affect PCI DSS compliance.
The new document provides guidance and installation suggestions in areas such as how to limit the PCI DSS wireless scope and practical methods for deployment of secure wireless networks in payment environments. But there is a lot more to wireless security than what is written in the 33-page document. In this tip, we'll examine how the new Wi-Fi guidance enables PCI DSS compliance, and some additional best practices enterprises should put in place to not only pass a PCI DSS audit, but also better integrate security into an existing Wi-Fi network.
Do the PCI Wi-Fi guidelines help?
If one takes the guidelines' three chapters and methodically applies them to his or her wireless network, will it then be PCI DSS complaint? Ostensibly, yes. But adhering to the spirit of the mandate -- protecting sensitive electronic payment information, -- can only be ascertained via in-depth analysis of the requirements, and a plan for compliance. Many organizations struggle with the PCI DSS wireless requirements, since the DSS never detailed the security requirements for wireless networks when it was initially released. This is important as there are many new regulatory data protection requirements and standards, of which PCI DSS is one. Beyond the regulations, every organization wants to ensure its data is secure, and its wireless networks remain protected from external attacks. To most effectively design their security architectures, network managers must understand the wireless security features of the networks they are using, as well as their limitations.
Since wireless is often an add-on to an existing enterprise network, Chapter 2 addresses the Cardholder Data Environment (CDE). The PCI CDE is the computer environment wherein cardholder data is transferred, processed or stored, and any networks or devices directly connected to that environment. Organizations that add wireless capabilities to a flat network will find out that their entire network is now likely in scope for PCI DSS compliance.
Even though the PCI DSS is detailed, organizations needed more meticulous details to help them understand how to apply the DSS to their wireless environments. The guide provides that guidance and expands on the practical methods for secure deployment of wireless in payment card transaction environments.
For instance, Chapter 3 details the specific wireless requirements for PCI DSS and general networking. The guidelines note that an entity must comply with the wireless requirements, even if they do not use wireless as part of their CDE. This is needed as the PCI DSS doesn't state how easy it is for someone to establish a rogue wireless access point on a network. When a wireless access point is enabled, it will often have an Ethernet connection tied into some part of the payment network. The wireless access point can then enable an attacker to bridge the connections and gain access to the payment network.
The guide concludes with Chapter 4. It offers applicable requirements for in-scope wireless networks, which details each of the specific requirements. Chapter 4 is the most detailed chapter in the guide and provides the most technical information on the specifics of securing wireless networks. Key points of the chapter include the recommendation to disable all unnecessary applications, ports and protocols, to not advertise organization names in the SSID broadcast, and more.
Beyond the guidelines
The PCI DSS Wireless Guidelines is a valuable document, but the underlying issue is that the recommendations written should have been implemented before any wireless network was deployed. Organizations that are serious about wireless and security should go beyond the guidelines and take the following steps:
- Architecture -- Ensure the wireless security architecture is centrally controlled, with coordinated access points that are resistant to attack by securely configuring them and ensuring they are patched.
- Network diagrams -- These are always valuable, but are even more crucial in a PCI environment. Ensure your wireless network diagrams detail the locations of any wireless devices on the network. Once that is done, validate the network diagram using wireless scanning tools. You can use free open source tools such as NetStumbler or Kismet, or more powerful commercial tools such as those offered by Motorola Inc.'s AirDefense unit or AirMagnet Inc.
- Data mapping -- Many organizations seek to guarantee that no cardholder data goes over wireless. But the only way to verify that is by mapping the data. By documenting how credit card transaction data flows over the network, you can then determine if it is going over the wireless network, which would then be in scope from a PCI perspective.
- Maintaining compliance -- The hardest aspect is maintaining PCI compliance, as it requires constant vigilance. Ensure you have detailed security and compliance management processes to ensure the wireless networks will remain PCI compliant.
About the author:
Ben Rothke CISSP, PCI QSA, is a Senior Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).
