PCI clarifies procedures to secure Wi-Fi

Share this article:
The group charged with administering the Payment Card Industry Data Security Standard (PCI DSS) has begun issuing guidance documents that merchants can use to help them better understand and adhere to payment security standards.

On Thursday, the PCI Security Standards Council published its first installment: a 33-page paper for clarifying how retailers should secure their wireless internet environment.

“The guidelines are not there to add any new control objectives to the DSS requirements," Doug Manchester director of product security for payment technology vendor VeriFone Holdings, told SCMagazineUS.com on Thursday. "It's more intended to help explain what's required."

Manchester chaired the special interest group responsible for the document.

Among its goals, the document is intended to remove any confusion or ambiguity as to what is required so that qualified security assessors (QSAs), responsible for assessing merchant compliance with the PCI DSS, and retailers have a common understanding, Manchester said. All retailers that are using Wi-Fi in their business – even those that do not transmit payment card information over the wireless network -- should read the document, Troy Leach, technical director for the PCI Security Standards Council, told SCMagazineUS.com Thursday.

Retailers that use Wi-Fi  but do not use it to transmit payment card data, must ensure -- and be able to demonstrate -- that their wireless network is fully segmented from the sensitive cardholder data, Manchester said.

“We have seen in the past that that's a common weak point of an organization's security system and a primary target,” Manchester said. “Even if it's not transmitting cardholder data, you still need to protect it, and make sure that network doesn't bleed into the cardholder data environment.”

Retailers using their Wi-Fi network to transmit payment card data must ensure that the appropriate level of encryption is used, Manchester said. The guidelines recommend retailers enable WPA or WPA2 encryption, which has replaced the weaker Wired Equivalent Privacy (WEP) standard. Also, retailers must maintain the physical integrity of the devices and have logging capabilities and intrusion prevention features.

Other PCI special interest groups are working to provide clarity about other parts of the DSS that were deemed challenging to retailers -- areas such as scoping, virtualization and pre-authorization.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.