Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats.
Since the PCI DSS Wireless Guidelines were published in July 2009, vendors have been trotting out tools to prove compliance with the PCI wireless requirements. Here are a handful of issues merchants should consider as they review PCI wireless scanning tools trying to find the best match for their requirements.
Related Story: Restaurant owner sues point-of-sales vendor following hack attack
* Requirements to meet. Certain PCI wireless requirements are universal regardless of whether a WLAN is deployed and whether or not a WLAN is inside or outside the cardholder data environment (CDE). However, a few other additional PCI wireless requirements need to be met if a WLAN is deployed inside the CDE for purposes such as use of wireless POS terminals, inventory management, etc. During selection of a particular PCI wireless solution, merchants should be careful to ascertain if the solution is capable of satisfying all wireless requirements applicable to the site(s) in consideration.
* Automated or manual. PCI wireless compliance solutions can be automated or manual. An automated solution, generally referred to as WIPS (Wireless Intrusion Prevention Systems), consists of wireless sensors deployed at a merchant’s site. These sensors sniff the surrounding airspace for available wireless information, and send it to a central server over the network. The central server, in turn, has an engine to correlate and mine the obtained information to dig out relevant data required for PCI requirements.
Manual solutions involve use of handheld analyzers which need to be carried around the merchant’s site to collect data, which is then interpreted manually or fed to an engine to dig out relevant data. Naturally, a manual approach of achieving PCI wireless compliance is slow, tedious and can be error-prone compared to an automated one. Also, a manual approach cannot achieve 24×7 detection of wireless threats, which is a significant advantage of an automated solution. PCI wireless guidelines also recommend the use of WIPS/WIDS systems as an effective method to achieve wireless PCI compliance for organizations with large number of distributed sites because manual wireless scanning does not scale and can prove costly.
* Cost and SaaS options. Prices of the tools vary greatly. A few vendors have introduced SaaS offerings for PCI wireless solutions. These are typically low cost when compared to independent solutions and can be helpful for merchants looking for cost-effective solutions or shops that don’t have dedicated IT support.
* Reporting capabilities. Collating proof of compliance across all sites is a challenge. PCI wireless solutions which do not provide a clear and detailed PCI compliance report for any given site and across multiple sites are incapable of establishing in an audit whether the CDE met the applicable wireless requirements. A comprehensive report also helps in speeding of an audit process as all the required information will be readily available in report.
* Configuration and management. Many retail chains often lack dedicated IT support at remote sites, hence the PCI wireless solution should be easy to configure and maintain, even without trained IT staff. Also, from management point of view, the solution should accurately detect wireless threats because generation of false alerts can cause considerable problems. False alerts also crop up in the audit process because merchants have to segregate and account for each one. In fact, false alerts can make a merchant’s site non compliant. Thus, ideally, the solution should be plug-and-play and require minimal human intervention for day-to-day operation.
* Scalability. A merchant with multiple, geographically distributed sites should also consider the scalability of PCI wireless solution. A scalable tool can be easily deployed at multiple sites and be easily extended to new sites. Also, a merchant who is planning to deploy WiFi for its CDE operations in the future should consider a solution which can be easily scaled to a version suitable for wireless requirements applicable to the case where WiFi is deployed as the part of CDE.
* Cover the common vulnerabilities/threats. There are number of known wireless threats and vulnerabilities. Thus, the compliance solution should cover all of them or at least the most important ones, such as Rogue AP, HoneyPot AP, Mis-configured AP, Mis-associations, Unauthorized associations, etc. When solutions claim detection of a particular threat, merchants need to make sure all aspects/possibilities of that threat are covered. For example, all forms of rogue access points should be covered, including rogues configured in software or rogues configured using a commercially available AP. Further, the solution should be easily upgradeable to cover newly discovered vulnerabilities/threats.
* Robust device classification. PCI wireless solutions that have comprehensive classification engine require fewer inputs from the merchants about the inventory. Classification policies provided in the engine should automatically classify various devices scanned over the air into various categories, such as Rogue Devices, External Devices, etc., thus providing complete visibility of wireless devices using the air space of the merchant’s site. PCI wireless guidelines also recommend evaluation of automatic device classification capabilities when evaluating options for PCI wireless compliance solutions.
* Automatic prevention. Merchants should also consider automatic prevention capabilities for detected threats. Incident response to a wireless security incident is one of the requirements in the PCI DSS, and having sound automatic prevention enables merchants to quickly and easily respond to detected threats and prevent considerable damage.
* Location tracking. Location tracking of capabilities helps identify the location of wireless devices and facilitate removal. Also, location tracking helps tracking inventory of wireless devices.
With a number of options available for PCI wireless compliance available today, merchants should ensure they do not get trapped by an inexpensive but ineffective solution. The trap can eventually lead to the merchant bearing the cost of non-compliance, which is large.
Ajay Kumar Gupta is Team Lead for Product Development at AirTight Networks. AirTight Networks specializes in wireless security and performance management. It provides customers cutting-edge Wireless Intrusion detection and Prevention (WIPS) solutions to automatically detect, classify, block and locate current and emerging wireless threats.