AIRTIGHT NETWORKS

WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

Understanding the PCI DSS Wireless Requirements

A Whitepaper by AirTight Networks, Inc.

339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043

www.airtightnetworks.com

© 2009 AirTight Networks, Inc. All rights reserved.

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

Executive Summary

The Payment Card Industry Security Standards Council (PCI SSC) has
published a PCI DSS Wireless Guideline which acknowledges that
wireless is a clear and present danger to network security and those who
collect, store or transmit card holder data must take steps to assure that
it is secure, whether or not wireless is deployed in the cardholder data
environment. Though the PCI DSS already included wireless security
requirements, this is the first time that the requirements for wireless
security have been described unambiguously for all cardholder data
environments (CDE). Organizations which handle payment card data
must take steps to secure the CDE against wireless threats including
unmanaged and unknown wireless devices in the environment and
must scan all locations. This white paper helps those organizations
understand how the PCI DSS 1.2 wireless requirements apply to them,
how to meet those requirements in a cost effective way, and how to
secure your network and cardholder data from wireless threats.

© 2009 AirTight Networks, Inc. All rights reserved. 2

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

Introduction
Recent incidents have highlighted the growing popularity of wireless among
cybercriminals to gain sensitive data from both wired and wireless networks. The
TJX incident — the largest known wireless security breach in the U.S. history — is
a prime example. Hackers used unsecured wireless as an entry point to access TJX
networks worldwide. Over 90 million credit- and debit-card records and personal
information such as social security numbers, driver’s license numbers, and military
identification of more than 451,000 customers were stolen. A total of nine retail
chains — including Office Max, Boston Market, Barnes & Noble, Sports Authority,
Forever 21, and DSW — were victims of this heist. Forrester Research estimated
the cost incurred to cover financial losses and lawsuit settlements to be one billion
dollars.
Notably the wireless networks that were hacked during this incident were not
necessarily being used for processing cardholder data, but were connected to
wired networks that were part of the cardholder data environment (CDE). This
highlighted the need to comprehensively secure the CDE against all types of
wireless threats including those initiated outside it and those initiated from “Rogue”
wireless access points and clients installed unofficially inside the CDE.
The Payment Card Industry Security Standards Council (PCI SSC) responded
promptly by releasing the latest version 1.2 of the PCI Data Security Standard (PCI
DSS) in October 2008. The PCI SSC’s Wireless Special Interest Group (SIG) followed it
with a “PCI DSS Wireless Guideline” document in July 2009 that clarified the wireless
security requirements for PCI compliance, provided guidance on implementing
secure wireless LANs and outlined methods for protecting against threats from
wireless devices outside the CDE and Rogue wireless devices.

Understanding the Cardholder Data Environment

Fundamental to achieving PCI compliance is to understand what comprises a CDE.
The PCI SSC Wireless SIG defines the CDE as “the computer environment wherein
cardholder data is transferred, processed, or stored, and any networks or devices
directly connected to that environment.”
From a wireless security viewpoint, any wireless device that is deployed officially
or unofficially becomes part of the CDE as long as it provides access to cardholder
data in transit, or in process, or in storage. Any such device is evidently under the
purview of PCI DSS.

© 2009 AirTight Networks, Inc. All rights reserved. 3

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

Officially deployed wireless access points (APs) and clients can violate PCI DSS
requirements if they are misconfigured or provide CDE access to unauthorized
users. Unofficially deployed Rogue wireless APs and clients can also compromise
the security of the entire network and provide CDE access to unauthorized users.
Depending on how wireless usage influences a CDE, the PCI DSS 1.2 wireless
security requirements can be broadly grouped into two categories:
•• Those that address threats from unknown wireless networks and apply
generally to all organizations wanting to comply with PCI DSS; and
•• Those that apply to organizations who have deployed an official wireless
network inside the CDE.

PCI DSS 1.2 Wireless Security Requirements for All

“ [Generally applicable wireless
requirements] apply to Organizations
organizations regardless of their
Irrespective of whether or not they have deployed a wireless network,
use of wireless technology and
organizations cannot afford to discount the presence of unknown or unmanaged
regardless of whether the wireless
wireless devices on their premises. Today all consumer computing devices (e.g.,
technology is a part of the CDE or
laptops, smartphones, PDAs) have WiFi built in. WiFi APs are inexpensive and
not. As a result, they are generally
available off-the-shelf for anyone to autonomously deploy their own wireless
applicable to organizations that
network at work.
wish to comply with PCI DSS.
”
- PCI Security Standards Council
The significant risk that these unmanaged wireless devices pose to the CDE has
Wireless SIG
prompted the PCI Security Council to highlight the following PCI DSS requirements
as applicable to all organizations wanting to comply with PCI DSS. Regardless of

© 2009 AirTight Networks, Inc. All rights reserved. 4

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

whether an organization runs or bans wireless, it needs to ensure that the CDE
is not plagued with such Rogue wireless devices. These are minimum wireless
scanning requirements.

Conduct Wireless Scans At Least Quarterly at All Locations

“ Although [use of a wireless

analyzer for scanning] is
PCI DSS Requirement 11.1 Test for the presence of wireless access points by
using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to
identify all wireless devices in use.
technically possible for a
small number of locations, it
Organizations must scan ALL their sites at least quarterly to detect Rogue or
is often operationally tedious,
unauthorized wireless devices that may be attached to the CDE. Sampling of few
error-prone, and costly for
sites for scanning is not allowed. Scanning only the CDE wired network does not
organizations that have
serve the purpose as it cannot detect Rogue wireless devices.
several CDE locations. For large
organizations, it is recommended Walking around with a wireless analyzer for conducting scans is a time-consuming
that wireless scanning be process, limited in scope (in terms of ability to discover Rogue APs and relevance
automated with a wireless IDS/ over a longer time duration), cannot scale for large premises and is costly if
IPS system.
”
- PCI Wireless Security Standards
multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and
Council Wireless SIG comprehensive alternative. A WIPS gives you:
•• 24x7 monitoring of wireless devices

•• Ability to maintain an up-to-date wireless device inventory (recommended by the

PCI SSC Wireless SIG)
•• Instant detection of Rogue wireless APs

•• Automatic blocking of Rogue APs and other wireless threats or hack attacks

•• Location tracking capability to physically hunt down Rogue and other threat posing
wireless devices

Monitor Wireless Intrusion Alerts

PCI DSS Requirement 11.4 Use intrusion-detection systems, and/or intrusion-
prevention systems to monitor all traffic in the cardholder data environment
and alert personnel to suspected compromises. Keep all intrusion-detection and
prevention engines up-to-date.

Unless a wireless network is segmented from the CDE (requirement 1.2.3) using
a firewall, the network should be monitored for wireless intrusion attempts. A
WIPS should be configured to send automatic threat alerts and instantly notify

© 2009 AirTight Networks, Inc. All rights reserved. 5

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

concerned personnel about potential risks and attacks.

Eliminate Wireless Threats

PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared
to respond immediately to a system breach.

A WIPS can help you automatically respond to incidents by blocking wireless

threats such as Rogue APs before any damage is done. Any Rogue AP connected
to a wired network inside the CDE should be physically removed. The location
tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also
proactively protect against other common wireless threats such as man-in-the-
middle attack, denial-of-service attack, and ad-hoc networks.

PCI DSS 1.2 Wireless Security Requirements for Known WLAN

inside CDE
Organizations that run a wireless network as a part of the CDE need to comply
with the following PCI DSS requirements to run a secure wireless network, over
and above the requirements (11.1 – Conduct wireless scans at least quarterly at
all locations, 11.4 – Use a WIPS to monitor wireless intrusion alerts, and 12.9 – Use
a WIPS to eliminate wireless threats) discussed in the previous section. These are
secure wireless deployment requirements.

Change Default Settings

PCI DSS Requirement 2.1.1 For wireless environments connected to the
cardholder data environment or transmitting cardholder data, change wireless
vendor defaults, including but not limited to default wireless encryption keys,
passwords, and SNMP community strings. Ensure wireless device security
settings are enabled for strong encryption technology for authentication and
transmission.

Change default password: Change the default password of your wireless AP with a
stronger password (at least eight characters and a mix of alphanumeric characters).
This will prevent unauthorized users from logging into your AP and manipulating
its settings.
Change default SSID: The Service Set Identifier (SSID) or network name can be
configured on a wireless AP. Replace the default SSID with a unique name that does
not reveal the identity or other private information about your organization.

© 2009 AirTight Networks, Inc. All rights reserved. 6

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

Turn off unused services: By default certain wireless APs may run additional
services such as Web-based remote management, zero configuration, and SNMP
based monitoring. If you are not using these services, simply turn them off. If
you use SNMP, prefer SNMPv3 that supports stronger authentication than its
predecessors.
Turn on security settings: Most wireless APs come with wireless security turned off
by default. Cardholder data sent over an unsecured wireless connection is up for
grabs and can be passively sniffed by unauthorized users. Turn on the security on
your wireless APs and use strong encryption and authentication. See requirement
4.1.1 for more details.

Use Strong Encryption and Authentication

PCI DSS Requirement 4.1.1 For wireless environments connected to the
cardholder data environment or transmitting cardholder data, change wireless
vendor defaults, including but not limited to default wireless encryption keys,
passwords, and SNMP community strings. Ensure wireless device security
settings are enabled for strong encryption technology for authentication and
transmission.

Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless
network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the
Advanced Encryption Standard (AES) to protect in-transit cardholder data against
eavesdropping. Implement 802.1x based central authentication to restrict wireless
network access to authorized users. If you instead use Pre-Shared Key (PSK)
authentication, use a strong passphrase that is at least eight characters long and a
mix of alphanumeric and special characters.
Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless
data. WEP is fundamentally broken and cannot be fixed by any supplementary
solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP-
encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks
could serve as a compensating control.

Restrict Physical Access

PCI DSS Requirement 9.1.3 Restrict physical access to wireless access points,
gateways, and handheld devices.

Physical access to authorized wireless devices should be restricted to minimize

tampering of these devices and exposure of cardholder data. Physical access to

© 2009 AirTight Networks, Inc. All rights reserved. 7

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

wireless APs can be restricted by mounting them high up on the ceilings or walls,
and by installing them inside tamper-proof enclosures.
Access to laptops and handheld devices should be restricted by using strong
passwords. Sensitive information on these devices should be encrypted to prevent
unauthorized access even if the device gets stolen.
A WIPS can also serve as a wireless inventory management system, monitoring
wireless devices and their activities, tracking their physical location inside the
CDE, and enabling the administrator to quickly discover any missing or tampered
devices.

Maintain Logs of Wireless Activity

PCI DSS Requirement 10.5.4 Write logs for external-facing technologies onto a
log server on the internal LAN.

Archive logs of wireless activity over one year on a central server where the logs
cannot be tampered. Review wireless access logs daily to check for any anomalous
activity. Here a WIPS can be repurposed to maintain records of wireless activity it
has monitored and can also help in forensic analysis of past data if necessary.

Develop and Enforce Wireless Usage Policies

PCI DSS Requirement 12.3 Develop usage policies for critical employee-facing
technologies (for example, remote-access technologies, wireless technologies,
removable electronic media, laptops, personal data/digital assistants (PDAs),
e-mail usage and Internet usage) to define proper use of these technologies for
all employees and contractors.

In defining wireless usage policies, organizations will need to understand how to

securely deploy a wireless network and encourage users to follow best practices
when they use wireless laptops and handheld devices. Once wireless access
policies are defined, a WIPS can be used to truly enforce those policies and
proactively secure the CDE against unauthorized wireless access.

How AirTight Networks Can Help You Meet PCI Compliance

The PCI requirement for conducting wireless scans at all sites can become very
demanding. Walking around with wireless analyzers is too tedious and costly
for organizations with large number of sites. Many small- and medium-sized
businesses do not have the IT resources that they can dedicate for wireless

© 2009 AirTight Networks, Inc. All rights reserved. 8

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

scanning. Additionally, for organizations that do not have a known WLAN AP in the
CDE and are subject only to the minimum scanning requirements, a full Wireless
IPS (WIPS) capability may not be required.
Built on its leading WIPS technology, AirTight Networks offers SpectraGuard Online,
a SaaS-based wireless security solution for PCI compliance. This solution automates
wireless scanning and requires no IT intervention, thus making PCI wireless
scanning and compliance a low cost and no effort affair. Depending on the needs
of the organization, SpectraGuard Online can be upgraded seamlessly to provide
full wireless IPS capabilities.
SpectraGuard Online is a true “hands off” solution. The customer installs pre-
configured wireless sensors (plug-and-play), responds to a few wireless setup
questions and, within 72 hours, begins to receive wireless vulnerability alerts
by email. Users can choose to receive PCI Wireless Compliance report by email
monthly or quarterly. Customer data is hosted in a secure SAS70 certified
datacenter designed for security and high availability.
SpectraGuard Online offers four service modules to choose from with pricing as
low as $20 per month per location.

Modules
Services Basic Wireless Wireless Wireless
Compliance Alerts IDS IPS
Automated wireless scanning
   
Compliance report delivered by email
monthly or quarterly    
Real-time email alerts for Rogue AP
detection and wireless intrusion -   
Archiving of alerts for one year
-   
Access to wireless IDS console
- -  
24x7 full wireless monitoring
- -  
Troubleshooting and customizable
unlimited reporting - -  
24x7 full wireless intrusion prevention
and automatic incident response - - - 
RF heat maps
- - - 
Location tracking to physically locate
and remove Rogue APs - - - 

© 2009 AirTight Networks, Inc. All rights reserved. 9

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

Using SpectraGuard Online customers:

•• Incur no capital expenditures

•• Pay only for the wireless security features required

•• Grow as needed

•• Have an affordable and predictable total cost of ownership

•• Do not need to be concerned with hardware or software obsolescence

•• Can seamlessly upgrade to get full wireless IPS capabilities

Comparing Cost of PCI Wireless Scanning: SpectraGuard Online versus

Full Onsite WIPS versus Wireless Analyzer
5
Cost of PCI Compliance
(Million $)
Wireless analyzer
4

3 On-site WIPS

1
SpectraGuard Online
0.5

500 1000 2000 3000 5000

Number of sites

Estimated one year expense for PCI wireless scanning. For SpectraGuard Online and on-site WIPS, one wireless sensor per location
is assumed. Cost for scanning with a wireless analyzer includes logistics cost such as travel and lodging.

The total cost of ownership for SpectraGuard Online is radically less expensive
— 60 to 75 percent lower — than any competitive WIPS solutions on the
market today. For large enterprises with hundreds or even thousands of sites
across the globe, PCI compliance wireless scanning using the SpectraGuard
Online automated, hosted solution is dramatically less expensive in both
manpower and cost than walk-around scanning using any wireless analyzer.
h
Conclusions
The PCI Security Standards Council has made it clear that wireless security is a
concern that all merchants, regardless of whether or not wireless is deployed, must
address. Scanning all sites for wireless vulnerabilities and threats such as Rogue APs
and eliminating them from the cardholder data environment (CDE) is mandatory.

© 2009 AirTight Networks, Inc. All rights reserved. 10

AIRTIGHT NETWORKS WHITEPAPER

Don’t Let Wireless Detour Your PCI Compliance

A wireless IPS (WIPS) can automate wireless scanning, alerts monitoring,

A B O U T
compliance reporting and threat prevention.
AIRTIGHT NETWORKS
AirTight Networks’ SpectraGuard Online delivers PCI wireless scanning and
AirTight Networks is the global
wireless intrusion prevention as a SaaS. It makes wireless scanning for PCI
leader in wireless security and
compliance solutions providing compliance easy and cost-effective. Organizations can choose the features
customers best-of-breed they need depending on their size and use of wireless, and save significantly
technology to automatically as compared to on-site WIPS installations or manual scanning using a
detect, classify, locate and
wireless analyzer.
block all current and emerging
wireless threats. AirTight offers
both the industry’s leading
wireless intrusion prevention
system (WIPS) and the world’s
first wireless vulnerability
management (WVM) security-
as-a-service (SaaS). AirTight’s
award-winning solutions are
used by customers globally in
the financial, government, retail,
manufacturing, transportation,
education, healthcare, telecom,
and technology industries.
AirTight owns the seminal patents
for wireless intrusion prevention
technology with 11 U.S. patents
and two international patents
granted (UK and Australia), and
more than 20 additional patents
pending. AirTight Networks is a
privately held company based
in Mountain View, CA. For more
information please visit
www.airtightnetworks.com

The Global Leader in Wireless Security Solutions

AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043
T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com
© 2009 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and
AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are
properties of their respective owners. Specifications are subject to change without notice.