Understanding the Wi-Fi Security Guidelines of PCI DSS
By Eric Geier (NoWiresSecurity Founder & Owner) - originally published on eSecurityPlanet.com
Retailers and other organizations that deal with credit card data must follow the guidelines and requirements of the Payment Card Industry Data Security Standard (PCI DSS). Backed by the major credit card companies, these rules are put into place to ensure the security of cardholder data while it’s transferred, processed, and stored.
These PCI DSS standards address all areas of information security. In this article, however, we’re concentrating on the rules specifically involving wireless networks. Organizations that don’t even use Wi-Fi, but deal with cardholder data from the major credit companies, must still satisfy some wireless-specific requirements.
The Cardholder Data Environment (CDE)
There are two sets of guidelines--or requirements--we’ll discuss. To better understand when or how they apply to an organization, we must first be aware that the network segment where cardholder data is transferred, processed, or stored is called the “Cardholder Data Environment (CDE).”
Any network component in or directly connected to the segment where cardholder data is handled is a part of the CDE. Examples of network components that might be in the CDE include switches, wireless access points (APs), computers, handheld scanners, registers, and bordering firewalls. The CDE can be separated from other networks or network segments using firewalls.
Requirements for all networks
The first set of requirements apply to any organization that must follow the general PCI DSS requirements. This includes organizations with wireless networks not used for transferring cardholder data--even including organizations that don’t have a wireless network or that don’t use Wi-Fi at all.
These requirements are in place to protect against possible rouge wireless access points (APs). Though an organization might not use Wi-Fi, employees or outsiders could plug in rouge APs, or hackers could exploit other Wi-Fi devices on the premises. In the case where an organization does have a wireless network for other business use, these requirements help increase the security of the cardholder data.
Here are the two requirements that apply to all organizations:
Monitor the airwaves to find and analyze the existence of any Wi-Fi APs (Requirement 11.1): This can be done by walking around the location with a wireless analyzer at least quarterly and documenting the results. Alternatively, a wireless Intrusion Detection/Prevention System (IDS/IPS) could be installed that continuously monitors the airwaves and alerts personnel when an unauthorized AP is found. In either case, the organization must indicate in their Incident Response Plan (Requirement 12.9) what to do when unauthorized wireless devices are detected. There are many wireless analyzers and IDS/IPS solutions out there. Open source or free options include, Kismet, Snort, and NetStumbler. Commercial products are also available from vendors, such as AirMagnet, AirDefense, and AirTight.
Segment any Wi-Fi access points from the CDE if not used to transmit or receive cardholder data (Requirement 1.2.3): If the organization does have APs, but they aren’t used to transmit or receive cardholder data, they must be segmented from the CDE. A firewall must be properly configured to prevent wireless traffic from entering the CDE, perform stateful inspection of connections, and monitor and log traffic allowed and denied by the firewall in accordance with Requirement 10.
The firewall logs should be checked daily and the rules must be audited and reviewed at least every six months.
Using Virtual LANs (VLANs) alone isn’t enough to satisfy these PCI DSS requirements, though.
Requirements for Wi-Fi
The second set of requirements applies to any organization that offers Wi-Fi access in the CDE, or on the same network segment where credit card data is handled. (As stated above, there shouldn’t be any wireless access in the CDE if it’s not used to transmit or receive cardholder data.)
Here are the requirements that apply to organizations using Wi-Fi in the CDE:
Ensure wireless devices are physically secure (Requirement 9.1.3): To prevent the theft or unauthorized access of APs, gateways, and clients, they must always be secure from the public and others in the building. For example, APs and gateways should be mounted out of reach and clients shouldn’t be left unattended. APs could easily be reset to defaults or the login credentials recovered from clients, opening up access to the CDE.
Change default passwords and settings of wireless devices (Requirement 2.1.1): There are many default settings of APs that make them vulnerable to eavesdropping and hacking. Therefore, all settings should be carefully reviewed, while changing at least the SSID, encryption, SNMP, and clock settings. Other measures to consider are disabling SSID broadcast and closing all unnecessary applications, ports, and protocols.
Monitor the airwaves with a wireless IDS/IPS (Requirement 11.4): Though using a wireless IDS/IPS is optional when wireless networks are outside of the CDE, it is required when there’s Wi-Fi in the CDE. Any unauthorized devices that are found must be quickly detected and disabled. The IDS/IPS should perform all three functions: rogue AP detection, unsafe configuration detection, and malicious activity detection.
The IDS/IPS logs must be carefully configured and reviewed. The log file prefix, level of logging, and the log auto-roll settings must at least be configured. If something abnormal is found in the logs, it must be investigated.
Use strong wireless authentication and encryption (Requirement 4.1.1): This specifies that organizations cannot use WEP encryption for new wireless implementations in the CDE, as of April 1, 2010; it can be cracked and is not secure. Then at least by July 1, 2010, all wireless networks in the CDE must be upgraded from WEP to WPA/TKIP or (preferably) WPA2/AES.
Though the Personal or pre-shared key (PSK) mode is acceptable when using a long key and manually changing it regularly, the Enterprise mode is strongly recommended. This is because it provides authentication using 802.1X/EAP and provides a more robust encryption key scheme.
If an organization isn’t able to setup their own RADIUS server for authentication, they can use an outsourced service, such as AuthenticateMyWiFi.
Use strong cryptography and security protocols (Requirement 4.1): All cardholder data should be encrypted using SSLv3/TLS or IPSEC when traveling over any public or open network, like the Internet and wireless technologies. Since it is recommended to treat Wi-Fi networks as open networks, even when using WPA or WPA2, it’s best to implement this on Wi-Fi connections too.
Implement wireless usage policies (Requirement 12.3): This requires the organization to put together some acceptable usage policies and procedures. Some of the recommendations include requiring explicit management approval to access Wi-Fi in the CDE, listing all of the wireless devices and personnel authorized to use them, labeling of wireless devices, and defining company-approved products.
This requirement also recommends a policy regarding the access of cardholder data from wireless devices, including prohibiting transferring or caching the data to local hard drives or removable electronic media.
Review the entire PCI DSS standard
Remember, we briefly reviewed only the requirements that deal with wireless networking. The full PCI DSS specification is available on their Website. More help is available from a list of Qualified Security Assessors (QSAs).