Any company that accepts credit cards has to worry about staying in compliance with the Payment Card Industry’s Data Security Standard (PCI DSS) v1.2. And companies that have wireless LANs have additional requirements to meet, even if no credit card data travels over the wireless network.
To learn more about the requirements, we talked with Chris Williams, pre-sales systems engineer for Carousel Industries and one of the company’s wireless experts. From a PCI perspective, companies fall into one of three categories when it comes to wireless, each with varying requirements.
PCI Category 1: No Wireless in Use
A company that has no wireless LANs in place isn’t free from PCI wireless requirements; it still has to periodically prove it has no wireless LANs in place. The reason is that someone could install a rogue wireless access point from which it could tap into the wired network – and, theoretically, steal credit card data. To prove that isn’t happening, companies have to install a wireless intrusion detection system (IDS) and perform a quarterly audit that proves it has scanned the network and found no wireless access points.
PCI Category 2: Wireless LANs Are Not Used for Credit Card Data
Companies that do use wireless LANs but don’t use them to transmit any cardholder data fall into the second category. In this case, companies are required to inventory their wireless LANs, so they know exactly what exists on them, and to update it at least quarterly. That requires use of a management tool such as the Aruba Networks AirWave Wireless Management Suite or the Cisco Wireless Control System.
Companies must also install a firewall to ensure the wireless network is separate from the wired network where credit card data exists. They also have to make sure they’re not using any default settings on their wireless equipment, such as passwords and encryption keys. Companies have to develop standard configurations for their networks that address all known security vulnerabilities and ensure they are used consistently in all locations, Williams says. And, like those in category 1, they have to use an IDS to ensure no rogue access points exist.
PCI Category 3: Wireless LANs Are Used to Transmit Credit Card Data
Companies that fall into category 3 have to adhere to all the requirements of category 2 and also need to have role-based access enabled, to ensure only authorized users who have a legitimate reason can connect to the network. The network also must be monitored, with a system that provides logging and an audit trail. Again, the Aruba and Cisco management tools would do the trick.
To learn more about wireless PCI requirements, check out the white paper “Security Is In The Air: Complying With The PCI DSS v1.2 Standard,” by Carousel’s partner Aruba Networks. If you have any questions or want help planning for or implementing a PCI wireless strategy, contact Carousel.
[...] Read this article: PCI Compliance and Wireless Networks: What You Need to Know [...]