Wednesday, July 15, 2009
Merchants and Wireless Security
Merchants Have New Guidelines to protect Cardholder Data from the risks of Using Wireless Technology.
The PCI Counsel issued new PCI Wireless Guidelines This week. Some of the new changes are as follows:
1. Perform a security risk assessment of merchant's environment prior to implementation and using findings to design controls to mitigate discovered risks.
2. Mount Wireless Devices on ceiling if possible to reduce the risk of unauthorized access to the device physically disable console interface and use a tamper proof chassis.
3. The Wireless device must sit on the outer edge of the merchant's network, meaning that all wireless traffic must flow through a firewall before entering network with Card Holder Data flowing or is stored.
4. Only non-sensitive information should be allowed to go through the wireless device.
5. AES encryption is the recommended encryption method. WEP encryption makes the Vendor non-compliant to PCI Standards.
6. Businesses must conduct a wireless assessment to detect active rouge wireless devices quarterly and implement security measures to reduce risks from them. Large organizations must set up automatic scanning and have an updated incident response plan to handle rouge wireless devices when detected.
7. Change the default settings like: Administrative passwords, encryption settings, reset function, disable SNMP access if possible. Do not advertise or organization names in the SSID transmission.
8. A Wireless usage policy should be established for "explicit management approval to used wireless networks on the same network where cardholder data flows or is stored.
These guidelines will help merchants better protect cardholder data while allowing them to benefit from wireless technology.
PCI Standards Guideline can be found at:
Network World Article: