The Payment Card Industry (PCI) is now mandating stricter wireless security measures and the cost of non-compliance is significant. PCI DSS version 1.1 places special emphasis on WLAN security. It requires that card holder environments change wireless defaults (passwords, SSIDs, WEP keys, etc.), analyze and identify all wireless devices, restrict physical access to wireless devices, log wireless activity, define wireless usage policies, and not use WEP only to secure wireless. Wireless Intrusion Prevention Systems (WIPS) thwart wireless attacks and provide the most cost effective solution to meet PCI wireless security requirements. Here are the top 5 steps retailers can take to secure wireless.

1. Monitor the retail airspace 24x7 to eliminate rogue devices and block unauthorized wireless access. PCI compliance requires quarterly scanning for rogue devices at the very least. Using laptop based sniffers at each location quickly becomes an expensive and untenable solution for large retailers and can leave networks vulnerable for months.
2. Prevent wireless attacks and intrusions by using a specialized Wireless Intrusion Prevention System (WIPS) that can detect and prevent identity theft and denial of service attacks.
3. Maintain detail forensic records of wireless activity for all stores, distribution centers and headquarters with the ability to generate compliance reports and provide an auditable trail of wireless events.
4. Upgrade to WPA based wireless security. If WEP must be used, augment it with additional layers of protection such as WEP Cloaking™.
5. Use remote monitoring solutions to manage and troubleshoot distributed wireless networks quickly and cost-effectively.

PCI Wireless Compliance

AirDefense Enterprise provides the most cost-effective mechanism to comply with PCI DSS wireless requirements. Complying with the PCI wireless requirements is tedious and expensive for most retailers. PCI DSS Section 11.1 requires that retailers use a wireless analyzer at least every quarter to identify all wireless devices in use. Note that this is required regardless of WLAN deployment status, the intent being to neutralize rogue wireless devices that can show up even if WLANs have not been deployed.

Scanning a few stores and assuming that the rest are similar is not sufficient. Reputed auditors will insist on scanning reports of all stores clearly classifying authorized, neighboring and rogue wireless devices at each location. Further, relying on wired-side scanning alone will not meet the requirement since wireless devices not actively connected to the wired infrastructure or on isolated network segments may not show up on a wired-side scan. AirDefense Enterprise sensors perform wireless scans 24x7 above and beyond the quarterly PCI requirement. Every device is centrally logged in the server’s forensic database and PCI compliance reports can be scheduled and automatically generated by the system. AirDefense Enterprise updates and maintains around 300 different statistics for every wireless device, every minute, and is capable of storing this data for months. The forensic data is mined to produce detailed PCI compliance reports.

The PCI standard also mandates that WEP should not be used by itself. If it must be used, other layers of protection should be added. Many retailers have legacy WEP wireless networks in stores and distribution centers with data collection terminals, wireless POS terminals, manager’s workstations, VoIP phones, wireless printers, and other WLAN devices that simply cannot be firmware upgraded to WPA. AirDefense’s WEP Cloaking is the first and only patented technology to protect enterprises using WEP from common attempts used to crack the WEP key. The AirDefense WEP Cloaking solution is a compensating control for PCI Section 4.1.1. It provides a solution for immediately securing retailers using WEP without forcing them to upgrade all WLAN equipment to meet near term deadlines for PCI compliance. These upgrades are costly and time consuming and WEP Cloaking provides the flexibility retailers need to upgrade their overall WLAN infrastructure over time while being secure and compliant during the process.