|
Understanding the Wi-Fi Security Guidelines of PCI DSS
By Eric Geier (NoWiresSecurity Founder
& CEO) - originally published on
eSecurityPlanet.com
Retailers and other organizations that
deal with credit card data must follow the guidelines and
requirements of the Payment Card Industry Data Security Standard
(PCI DSS). Backed by the major credit card companies, these rules
are put into place to ensure the security of cardholder data while
it’s transferred, processed, and stored.
These PCI DSS standards address all areas of information security.
In this article, however, we’re concentrating on the rules
specifically involving wireless networks. Organizations that don’t
even use Wi-Fi, but deal with cardholder data from the major credit
companies, must still satisfy some wireless-specific requirements.
The Cardholder Data Environment (CDE)
There are two sets of guidelines--or
requirements--we’ll discuss. To better understand when or how they
apply to an organization, we must first be aware that the network
segment where cardholder data is transferred, processed, or stored
is called the “Cardholder Data Environment (CDE).”
Any network component in or directly connected to the segment where
cardholder data is handled is a part of the CDE. Examples of network
components that might be in the CDE include switches, wireless
access points (APs), computers, handheld scanners, registers, and
bordering firewalls. The CDE can be separated from other networks or
network segments using firewalls.
Requirements for all networks
The first set of requirements apply to any organization that
must follow the general PCI DSS requirements. This includes
organizations with wireless networks not used for transferring
cardholder data--even including organizations that don’t have a
wireless network or that don’t use Wi-Fi at all.
These requirements are in place to protect against possible rouge
wireless access points (APs). Though an organization might not use
Wi-Fi, employees or outsiders could plug in rouge APs, or hackers
could exploit other Wi-Fi devices on the premises. In the case where
an organization does have a wireless network for other business use,
these requirements help increase the security of the cardholder
data.
Here are the two requirements that apply to all organizations:
-
Monitor the airwaves to find
and analyze the existence of any Wi-Fi APs (Requirement 11.1):
This can be done by walking around the location with a wireless
analyzer at least quarterly and documenting the results.
Alternatively, a wireless Intrusion Detection/Prevention System
(IDS/IPS) could be installed that continuously monitors the
airwaves and alerts personnel when an unauthorized AP is found.
In either case, the organization must indicate in their Incident
Response Plan (Requirement 12.9) what to do when unauthorized
wireless devices are detected. There are many wireless analyzers
and IDS/IPS solutions out there. Open source or free options
include, Kismet, Snort, and NetStumbler. Commercial products are
also available from vendors, such as AirMagnet, AirDefense, and
AirTight.
-
Segment any Wi-Fi access points
from the CDE if not used to transmit or receive cardholder data
(Requirement 1.2.3): If the organization does have APs, but
they aren’t used to transmit or receive cardholder data, they
must be segmented from the CDE. A firewall must be properly
configured to prevent wireless traffic from entering the CDE,
perform stateful inspection of connections, and monitor and log
traffic allowed and denied by the firewall in accordance with
Requirement 10.
The firewall logs should be checked
daily and the rules must be audited and reviewed at least every six
months.
Using Virtual LANs (VLANs) alone isn’t enough to satisfy these PCI
DSS requirements, though.
Requirements for Wi-Fi
The second set of requirements applies
to any organization that offers Wi-Fi access in the CDE, or on the
same network segment where credit card data is handled. (As stated
above, there shouldn’t be any wireless access in the CDE if it’s not
used to transmit or receive cardholder data.)
Here are the requirements that apply to organizations using Wi-Fi in
the CDE:
-
Ensure wireless devices are
physically secure (Requirement 9.1.3): To prevent the theft
or unauthorized access of APs, gateways, and clients, they must
always be secure from the public and others in the building. For
example, APs and gateways should be mounted out of reach and
clients shouldn’t be left unattended. APs could easily be reset
to defaults or the login credentials recovered from clients,
opening up access to the CDE.
-
Change default passwords and
settings of wireless devices (Requirement 2.1.1): There are
many default settings of APs that make them vulnerable to
eavesdropping and hacking. Therefore, all settings should be
carefully reviewed, while changing at least the SSID,
encryption, SNMP, and clock settings. Other measures to consider
are disabling SSID broadcast and closing all unnecessary
applications, ports, and protocols.
-
Monitor the airwaves with a
wireless IDS/IPS (Requirement 11.4): Though using a wireless
IDS/IPS is optional when wireless networks are outside of the
CDE, it is required when there’s Wi-Fi in the CDE. Any
unauthorized devices that are found must be quickly detected and
disabled. The IDS/IPS should perform all three functions: rogue
AP detection, unsafe configuration detection, and malicious
activity detection.
The IDS/IPS logs must be carefully
configured and reviewed. The log file prefix, level of logging,
and the log auto-roll settings must at least be configured. If
something abnormal is found in the logs, it must be
investigated.
-
Use strong wireless
authentication and encryption (Requirement 4.1.1): This
specifies that organizations cannot use WEP encryption for new
wireless implementations in the CDE, as of April 1, 2010; it can
be cracked and is not secure. Then at least by July 1, 2010, all
wireless networks in the CDE must be upgraded from WEP to WPA/TKIP
or (preferably) WPA2/AES.
Though the Personal or pre-shared
key (PSK) mode is acceptable when using a long key and manually
changing it regularly, the Enterprise mode is strongly
recommended. This is because it provides authentication using
802.1X/EAP and provides a more robust encryption key scheme.
If an organization isn’t able to
setup their own RADIUS server for authentication, they can use
an outsourced service, such as AuthenticateMyWiFi.
-
Use strong cryptography and
security protocols (Requirement 4.1): All cardholder data
should be encrypted using SSLv3/TLS or IPSEC when traveling over
any public or open network, like the Internet and wireless
technologies. Since it is recommended to treat Wi-Fi networks as
open networks, even when using WPA or WPA2, it’s best to
implement this on Wi-Fi connections too.
-
Implement wireless usage
policies (Requirement 12.3): This requires the organization
to put together some acceptable usage policies and procedures.
Some of the recommendations include requiring explicit
management approval to access Wi-Fi in the CDE, listing all of
the wireless devices and personnel authorized to use them,
labeling of wireless devices, and defining company-approved
products.
This requirement also recommends a policy regarding the access
of cardholder data from wireless devices, including prohibiting
transferring or caching the data to local hard drives or
removable electronic media.
Review the entire PCI DSS standard
Remember, we briefly reviewed only the
requirements that deal with wireless networking. The full PCI DSS
specification is available on their Website. More help is available
from a list of Qualified Security Assessors (QSAs). |
