July 16, 2009

Accept credit cards? New wireless guidelines put you to the test

PCI council publishes new wireless security check list

By Ellen Messmer

---

Any business accepting credit and debit cards -- and using or considering wireless LANs -- should carefully review the recommendations for use of 802.11 wireless access points that are detailed in new guidelines issued by the Payment Card Industry Security Standards Council.

In the past, the council has issued standards that have become required by Visa, MasterCard, banks and others for secure processing of payment and debit cards.

Troy Leach, the council's technical director, emphasised that the recommendations in the "PCI Data Security Standard (DSS) Wireless Guideline" are not mandatory for businesses handling payment cards and using WLANs. But he adds, "This is probably the way wireless should have been deployed all along."

And though not mandatory, the PCI guideline for WLAN deployments, which expands on the existing 12-part standard PCI DSS that is required, do point merchants in the direction the council thinks is optimum for protecting cardholder data.

The guideline was crafted by the council's Wireless Special Interest Group (SIG), chaired by Doug Manchester, director of product security at VeriFone Holdings, in a process that took more than half a year with 50 SIG participants.

Manchester, who notes the guideline is specifically for WLANs and doesn't include technologies such as BlueTooth (more wireless-technology guidelines can be expected in the future), says the goal was to clear up questions and establish a "common vocabulary."

"This guideline is for IT and network administrators on how to implement wireless," Manchester says, adding, "it's not new in terms of control objectives."

One basic control objective in processing cardholder data is to establish the "cardholder data environment (CDE)."

Specifically, the goal is to establish the scope of the CDE where cardholder data is transferred, processed or stored. The new guideline says that requires "a firewall that demarcates the edge of the organisation’s CDE."

In addition, even if a business processing payment cards does not make use of wireless LAN access points at all, the council is recommending that the business regularly check for the presence of "rogue WLAN access points," defined as "an unauthorised wireless device that can allow access to the CDE."

To combat the problem of the rogue access point, businesses will need to use a wireless analyzer or preventative measures such as a wireless intrusion detection/prevention system (IDS/IDP) regularly in any CDE location, according to the council.

The council is advising large organisations to set up automated scanning using a centrally managed wireless IDS/IPS system. The goal should be to remove any rogue threat immediately and re-scan the environment continuously. The guidelines suggest quarterly scans each year to detect rogue wireless devices that could be connected to the CDE at any location and have an incident-response plan to deal with them.

To isolate wireless networks that don't transmit, store or process cardholder data, a firewall must be used, and it has to perform the functions of filtering packets based on the 802.11 protocol; performing stateful inspection of connections; and monitoring and logging traffic allowed and denied by the firewall according to PCI DSS rule 10. The firewall logs would have to be monitored daily and the firewall rules verified once every six months.

The wireless guideline also says "relying on a virtual LAN (VLAN) based on segmentation is not sufficient."

Other wireless LAN recommendations are:

• For "in-scope wireless networks," physical security should apply, with options that include mounting wireless access points high up on a ceiling and disabling the console interface and factory rest options by using a tamper-proof chassis.
• Change the default settings of the access points in terms of default administrative passwords, encryption settings, reset function. Disable SNMP access to remote access points if possible. Do not advertise organisation names in the SSID broadcast.
• Use of AES encryption is recommended for WLAN networks. Specifically, information flowing through certain network segments, including secure wireless devices that connect to the private WLAN through the access points, must be encrypted.
• Wireless usage policies should be established for "explicit management approval to use wireless networks in the CDE." Usage policies require labeling of wireless devices with owner, contact information and purpose.

Leach says the council hopes this new WLAN security guideline is going to help merchants, particularly smaller ones, when they go out shopping for wireless access points to set up in their own businesses.

Newsletters

Our Daily & Weekly Newsletters highlight breaking news, vital issues, expert analysis and solutions to help you stay ahead of developments in the industry.