PCI - No Wireless, No Excuse

author: John Huffman

With the recent PCI standards, not deploying a corporate Wireless LAN in your stores, doesn’t allow you to ignore Wireless LAN security. In a recent PCI Data Security Standard (DSS), Information Supplement: PCI DSS Wireless Guidline, the Wireless Special Interest Group has specifically reviewed the PCI requirements as they relate to wireless LANs and state that wireless scanning to detect rogue APs is required.

PCI DSS Requirement
11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.

Considering how easy and cheaply it is possible for an employee or intruder to purchase an Access Point or WLAN access card and install it on the corporate network, this makes perfect sense.

With the prevalence of laptop computers and consumer mobile devices add a wireless LAN, is typically not a matter of malicious intent, but convenience for the store employees to access either corporate resources or the public Internet more easily. It may even be making the store associates more efficient in performing their jobs, by keeping the store manager on the floor, or educating the sales associates on the features of their merchandise and their competitor’s promotions.

Unfortunately, the access point that was innocently added to the network can become an open door for an unwanted intruder. Without the proper security configuration including modifying default keys and passwords, enabling 802.11 security, which is unlikely with a rogue AP, this is an open invitation for a hacker to access the corporate network.

And even worse, is the scenario where the rogue device was deliberately added to the network as part of an attack of the network. In this case, the wireless devices could be physically obscured and configured to avoid detection.

So what is a retailer to do. The low tech solution is to perform a quarterly audit with a wireless analyzer at every store, and other location that credit card information touches. While this may be possible for a small operation, the logistics and costs soon make it impractical.

The only practical solution is to automate the process with a wireless Intrusion Detection/Prevention System (IDS/IPS) such as Motorola’s AirDefense products. These products are installed within the corporate environment to continually monitor and detect intrusions within the store environment and report them for processing to the IT organization.

Additional Resources: