A guide for meeting wireless PCI compliance
Introduction to PCI compliance
The Payment Card Industry Data Security Standard (PCI DSS) was developed to protect cardholder data so there is a consistent guideline and baseline for all businesses to follow that’s regulated. Hackers can steal millions of credit card or debit card numbers, names, addresses, e-mail addresses, and even PIN numbers. The PCI DSS guidelines cover both technical and operational requirements to protect them and the customer cardholder data the enterprise holds and processes. It is designed as a minimum compliance standard for companies to adhere to, and companies should always aim to achieve above and beyond the minimum requirements set out by the PCI DSS for best protection.
Having a robust cyber security baseline in your organization is key to achieving and maintaining PCI DSS compliance. But as businesses take advantage of wireless technology to improve operations and customer experience, PCI DSS requires companies to extend the same level of security of their wired networks to wireless networks from firewall protection to testing wireless networks connected to the Cardholder Data Environment (CDE) which are all key considerations for security and IT professionals to be rubber stamped for full compliance.
Specific requirements for PCI wireless security compliance
There are several specific PCI compliance requirements relating to wireless networks as part of the CDE that you must take into account when designing and building your security operations:
- 1.2.3: Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.
The purpose of this requirement is to protect your wireless network from unauthorized traffic and only inbound and outbound protocols from known devices are permitted, essentially protecting your systems from compromise and only accessible to authorized users and networks. PCI assessors will audit your business by checking you have enough wireless security controls in place to protect the CDE, especially wherever wireless networks and devices exist – this is key for retail and other businesses who take card payments over wireless networks.
How to comply: While the aim will always be to eliminate wireless traffic from the CDE, sometimes this just isn’t possible. Wireless security monitoring can give you the confidence that only authorized devices are connecting to the CDE wireless networks. Should an untrusted device connect to the CDE wireless network, or connect to a rogue/unauthorized wireless network, Pulse will both highlight the threat, and send an immediate alert, highlighting you to the offending device.
- 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.
This should be common practice for any companies and means you should not be using vendor-supplied defaults for system passwords and other security parameters, including wireless devices that are connected to the CDE or are used to transmit cardholder data security parameters. This requires your business to have detection capabilities and visibility of what’s on your wireless network at all times and ensures security teams have the tools in place to identify rogue access and attackers that are using authorized devices on your wireless network.
How to comply: Everyone has seen the ‘Get it up and running as soon as possible, secure it later’ scenario at some point. Unfortunately, in the CDE environment, this can have some pretty severe consequences. Using wireless threat detection tooling it is possible to detect wireless AP’s which have been left in their default configuration. Pairing this with an vulnerability assessment tool, it is simple to find not only those devices where default wireless configurations are in place, but also where the network is at risk.
- 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
Wireless technology like Wi-Fi and Bluetooth are part of our everyday lives and it’s hard to shy away from them in modern day operations from BYOD, phones and watches – we’re always connected wherever we are and there’s no escaping this threat from a security perspective. Think about how many restaurants or shops you visit and how your payment is taken – it’s being processed by a wireless network.
How to comply: Strong cryptographic practices are essential in a CDE, especially where wireless networks are in use. Implementing a wireless detection tool makes monitoring the strength of the encryption easy by allowing the user to select the required encryption in use. You can be alerted when the cryptographic requirements of the CDE environment fall below those required, or when a CDE asset connects to another network with low security.
- 11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
In terms of Wireless, this is THE section of the PCI DSS which really corresponds to how Wireless is used within the CDE, and where Pulse can offer the greatest benefits. If a wireless device is installed on a system or a network without the knowledge of the organization, it can be easily used by a malicious individual to access all information on the network, particularly the cardholder data.
How to comply: Traditionally, 11.1a (examine policies and procedures to verify processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis) is something which has been undertaken by a 3rd party who will come and asses CDE wireless environments, but can often be prohibitively expensive, especially when talking about potentially hundreds of remote sites all needing to be tested, and only gives a point in time view, rather than a full picture. Pulse is able to perform this continually, 24/7, without the need to send any personnel onsite.
Moving on to 11.1.b and 11.1.c, **finding access points, its long winded so summarize, and scan verification** Pulse is also able to offer immediate notification of rogue access points, ad-hoc access points (such as those from a mobile phone) as well as, and going further to send a notification should a corporate or non-CDE asset join an unauthorized access point. Again, this is something which must be performed quarterly, where Pulse will offer a continuous assessment.
How Pwn Pulse can help
With the PCI DSS standards for wireless explained in this blog, companies are strongly encouraged to move toward continuous monitoring, detection and consider automated application testing, which goes beyond ad-hoc pen testing which is less cost effective.
Pwn Pulse provides simple and scalable wireless discovery on or around your network whether it be a shop, retail unit or restaurant/ bar, we’ve got you covered. Pwn Pulse is a small piece of hardware on site that allows security operators to physically plug it into your network (up to 50 meter wireless coverage). Leaving the Pwn Pulse dropbox on location and remotely connecting to perform checks on your network consistently to test for rogue access of unauthorized devices looking to steal your customers card information – it’s a simple solution to remain PCI compliant and critically protects your organization from a substantial and damaging breach.
The advantage of using Pulse is not only the cost saving. But it also improves the security posture of the CDE environment by ensuring a continual monitoring of the wireless airspace, coupled with immediate alerts to rogue access points, unauthorized wireless devices and devices which break the wireless policy.
Final considerations for meeting complete PCI compliance
More than anything else, PCI DSS requires entities under its jurisdiction to have a comprehensive program of security testing and evaluation for vulnerabilities that stem from unauthorized access, rogue devices and weak authentication including testing routers, hubs, applications, configurations, settings, policies, and training materials to ensure that these are set up in a way as to minimize the risk of exposure of payment card data.
Our solutions cover other PCI requirements in addition to the wireless requirements:
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network – Our automated PCI scanner will run internal and external vulnerability scans to protect you when a network change is made
11.3 Implement a methodology for penetration testing – Our Red Team will penetrate your security systems, covering a wide range of advanced testing services. These are pre-defined on-site pen tests and performed by experts to identify issues related to a PCI DSS assessment.
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks – We provide continuous application security scanning of your critical apps, through our SWAT service which automates security checks as the application changes to detect and prevent web-based attacks for PCI compliance.
The best way to approach these PCI Requirements is to continuously identify and monitor all wireless networks and devices where cardholder data is being transmitted, received, or connected. Even though this may sound daunting and will take time to check, this practice ensures you stay ahead of hackers and you are armed with tough encryptions that’s impossible for a criminal to penetrate and under constant review and continuous assessment.
Source: PCI Security Standards, July 2009 https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf