In a previous post we talked about what you need to know to keep in compliance with the Payment Card Industry Data Security Standard (PCI-DSS) when you’ve got a wireless network – or, as it turns out, even if you don’t, because you still have to prove you don’t. In the way of follow-up, we talked to Chris Williams, a pre-sales systems engineer for Carousel Industries and one of the company’s wireless experts about what goes into meeting those compliance requirements and how to make the job easier.
Outlining the PCI-DSS Requirements
First let’s take a quick look at what the PCI-DSS requirements are. The standard outlines six general goals and a total of 12 requirements, as noted in a white paper from Carousel’s partner Aruba Neworks:
|Build and maintain a secure network||1: Install and maintain a firewall configuration to protect cardholder data.
2: Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect Cardholder Data||3: Protect stored cardholder data.
4: Encrypt the transmission of cardholder data across open, public networks.
|Maintain a Vulnerability Management Program||5: Use and regularly update anti-virus software.
6: Develop and maintain secure systems and applications.
|Implement Strong Access Control Measures||7: Restrict access to cardholder data by business need-to-know.
8: Assign a unique ID to each person with computer access.
9: Restrict physical access to cardholder data.
|Regularly Monitor and Test Networks||10: Track and monitor all access to network resources and cardholder data.
11: Regularly test security systems and processes.
|Maintain an Information Security Policy||12: Maintain a policy that addresses information security.|
Meeting the Wireless Requirements Manually
With respect to wireless, meeting those requirements means you have to assemble a report each quarter that shows you’re taking steps such as monitoring for rogue wireless access points, which gets at requirements 10 and 11.
Doing that manually means taking a laptop or some sort wireless sniffer and walking around all of your locations to scan for rogue APs, Williams says. “If you find any, you have to determine whether they are allowed. If not, you have to find them, unplug them or somehow kick them off the network,” he says. “If it’s someone with an ad hoc rogue AP sitting in the parking lot, trying to pretend they’re part of the store network, you have to remediate that.”
Clearly, that’s a time-consuming, manual process. “I’m working on a project with a retail customer now that has about 200 sites,” Williams says. “The projected cost was $250,000 per quarter to have someone physically scan each store.”
Streamlining with Automated, Centralized Management Tools
The alternative is to put in place a centralized management tool to automate the process. Most wireless APs today have rogue containment systems, he says. When the AP’s aren’t busy serving clients, they can go off-channel and scan for rogue APs.
The trick lies in collecting data from all those APs to prove they found and remediated any rogue APs. That’s where a tool like the Aruba Networks AirWave Wireless Management Suite comes in. The suite features a centralized console that customers can use to collect all the relevant data from the remote APs that they need to prove PCI compliance. “You can set it up to run a quarterly report and you’re done,” Williams says. “You don’t have to worry about it ever again, at least until PCI requirements change.”
That’s the solution that the Carousel customer with 200 sites wound up going with. “A wireless solution for every store with AirWave was an entry cost of $800,000,” he said. Given it would have cost the customer $1 million per year to scan the stores manually, the ROI was less than a year.
To learn more about wireless PCI requirements and how your company can more easily get and stay in compliance, contact Carousel.