WLAN PCI Compliance

By  Ben Halpert

If you are a merchant or service provider that must meet the requirements under the Payment Card Industry (PCI) Data Security Standard (DSS), you may be battle-worn based on the experience with your Qualified Security Assessor (QSA) or internal audit organization. You must validate your compliance to PCI DSS, the base set of security controls that have one main goal: to protect cardholder data.

There are two specific scenarios called out in the PCI DSS that would make a WLAN environment in scope for a PCI DSS compliance assessment. The first is a WLAN that is connected to the cardholder environment (even if the WLAN is explicitly not used to transmit credit card data) and the second is a WLAN specifically used to transmit cardholder data.

Once you have identified the WLAN environments that are in scope, the next step is to validate your current configuration controls. As detailed in the PCI DSS document (available at www.pcisecuritystandards.org), the WLAN controls, in part, are as follows:

• 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks.
• 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment (CDE), and configure these firewalls to deny or control any traffic from the wireless environment into the CDE.
• 2.1.1 For wireless environments connected to the CDE or transmitting cardholder data, change wireless vendor defaults. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.
• 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the CDE use industry best practices to implement strong encryption for authentication and transmission.
• 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.
• 10.5.4 Write logs for external-facing technologies onto a server on the internal LAN.
• 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use.
• 12.3 Develop usage policies for critical employee-facing technologies to define proper use of these technologies for all employees and contractors.
• 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
• 12.9.5 Include alerts from intrusion-detection, intrusion-prevention, and file-integrity monitoring systems.

The specific configuration aspects for each of the aforementioned control requirements can be found in the PCI DSS document.

Ben Halpert CISSP, is an information security researcher and practitioner and writes monthly about security. Comments, questions and requests can be sent to him at editor@mobileenterprisemag.com; please include SECURITY in the subject line.