The PCI Security Standards Council recently announced the imminent release of the Payment Card Industry Data Security Standard (PCI DSS) version 1.2. This revision includes a number of changes, updates and clarifications that affect anyone involved in the storage, processing or transmission of credit card information. One of the major areas of change, however, involves the use of wireless networks to transmit cardholder data.
In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:
- Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.1x as an appropriate example.
- Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks.
- Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.
Using WEP encryption to "protect" a wireless network is a bad idea, and that fact shouldn't be news to anyone. Researchers have repeatedly discovered new flaws in WEP. The use of WEP encryption was also responsible for the well-known TJX Companies breach, one of the largest thefts of credit card information in history. Up until now, the PCI DSS allowed the use of WEP encryption with the presence of compensating controls, including quarterly key rotation, MAC-based host restrictions, and the use of supplemental encryption.
For smaller networks, WPA-secured networks and 802.1x, authentication may be a fairly trivial task to implement. In some cases, however, the work may require significant infrastructure and/or payment system upgrades.
Converting to WPA
WPA has been standard technology on all wireless equipment manufactured since September 2003. For those using such equipment, converting to WPA may be as simple as changing a setting on the wireless access points and reconfiguring networked devices to access the new WPA network. However, for those using obsolete or specialized hardware, this change may not be so simple; you may need to get the manufacturer involved.
The good news is that everybody's in the same boat. Manufacturers that wish to support payment card applications must also support WPA encryption if they intend to continue serving the payment card industry. The bad news is that nobody requires vendors to retrofit existing equipment to accommodate the upgrade. Companies may find themselves sitting on a lot of expensive but obsolete hardware, with no option other than upgrading it or ripping it out piece by piece.
Going "enterprise"
The second task is a bit more subtle and tends to be ignored in the initial analysis of PCI DSS 1.2. The summary states: "Wireless must now be implemented according to industry best practices (e.g., IEEE 802.11x) using strong encryption for authentication and transmission." But what does PCI DSS 1.2's reference and recommendation of IEEE 802.1x authentication mean for enterprise security managers?
Basically, that sentence requires that products run WPA in WPA-Enterprise mode, which combines encryption with 802.1x user authentication. Rather than using the authentication method of the simpler WPA-Personal mode, where every device on the network uses a single shared secret key, individual machine-based or user-based authentication must be put in place to protect network access. The use of WPA-Enterprise technology allows individual users or devices to be provisioned and de-provisioned without reconfiguring the entire network. It's clearly a good security practice, but it can be difficult to implement for those who don't have experience with it.
Enterprises that are already running a RADIUS and Active Directory environment may be able to simply tie it in to the wireless infrastructure using 802.1x. Those that don't have this technology in place will need to think about the best way to deploy WPA-Enterprise in their environments.
For example, you'll probably want to first ensure that your wireless infrastructure (access points, controllers, etc.) supports WPA-Enterprise and then verify that your wireless devices (laptops, PDAs, etc.) are also compatible. You'll then have to choose the appropriate back-end authentication for your environment. In most Microsoft shops, RADIUS should be configured to authenticate against an existing Active Directory. Otherwise, another source of user authentication data will be needed to integrate with the RADIUS server. Finally, devise a rollout strategy. One common approach is to stand up the WPA-Enterprise network alongside existing wireless networks, allowing users to have a transition period of several weeks before shutting off the legacy network.
Summing up
The new wireless requirements imposed by PCI DSS 1.2 aren't a surprise to payment card security professionals. We've been expecting them ever since the first release of PCI DSS 1.0, and they represent best practices in wireless security. The time has now come to comply, and the council has set a clear deadline: June 2010. That might sound far away, but the best advice I can offer you is to start planning now. If the changes are simple, you'll finish way ahead of the deadline and have plenty of time to relax. However, if your infrastructure requires major changes, you'll have the necessary opportunity to plan and deploy those changes properly.