For every million iPhones Apple sells, retailers see a clearer opportunity to reach the ultimate marketing goal -- to influence the consumer at the time of purchase. Smartphones simplify the idea of real-time product marketing, making it something retailers can expand and personalize.
Utilizing in-store WiFi networks, retailers can now deliver location and user-specific content to smartphone-carrying shoppers, while they are inside the store, updating it continuously.
Tempering the excitement of this new era in retail marketing is the fear (and reality) of opening up network access to the public. It wasn't too long ago when improperly secured in-store WiFi networks were exploited to gain access to the corporate network and over 100 million credit card records. Subsequently, the Payment Card Industry (PCI) Council -- founded by American Express, Visa, Mastercard, Discover and JCB -- published a worldwide data security standard (DSS) to prevent such breaches. The third version in effect since January 2009, PCI DSS v1.2 stipulates multiple security controls specific for WiFi networks that are mandatory when serving wireless network access to smartphones.
In order to impress the need for all companies to meet PCI Compliance mandates, strict penalties (up to $100,000 a month) are applied if a company is found to be out-of-compliance. In addition, those that remain compliant are given incentives such as protection under a safe harbor agreement, whereby merchants are not liable for the typical $80 to $320 fine per stolen record that card brands levy in the case of a breach. These penalties and incentives combined with the increasing cyber crime in today's world would make one think that compliance is a no-brainer for all merchants, and yet many still struggle with the scope and cost of PCI compliance projects.
As simple as it may seem, knowing where an unauthorized WiFi device (known as a "rogue device") extends open network access is half the battle. For distributed enterprises such as retail organizations, hundreds if not thousands of locations are managed by one central IT organization. With no IT resource at each site, retailers lack the expertise to detect rogue devices, whether accidental or malicious.
Accidental rogues refer to WiFi devices that are introduced to an enterprise network by an authorized end-user. Accidental rogues are typically none other than the popular and affordable WiFi routers available for home use. While these WiFi routers provide the convenience of un-tethered network access, they also extend the enterprise network to anyone within a few hundred feet outside the building. A more serious variant of the rogue device threat is where a hacker connects a wireless router to a public area network port to extend coverage beyond the physical confines of a shop. To prevent such threats, the PCI DSS in requirement 11.1 mandates the need to periodically analyze all networks.
To satisfy PCI DSS requirement 11.1 and to periodically scan all wireless devices, organizations can regularly deploy technicians equipped with handheld wireless scanners to each site. Alternatively, organizations can use a wireless intrusion detection system (wireless IDS) that automatically and continuously scan all environments. As one would expect, the wireless IDS option is more economically viable as the number of sites and the distance between each site increases. Many wireless IDS offerings are designed to complement existing WiFi networks and have a centralized software component to consolidate reports from scanning the air in each site. Wireless IDS solutions require dedicated wireless scanner hardware (as little as $395 list price per scanner) in each site that scan every wireless channel and 802.11a/b/g/n protocols to detect rogues. Aruba Networks also provides the option to use the scanner hardware as a WiFi access point to simultaneously scan for rogues and provide WiFi coverage; and the option to use the scanner hardware to detect interfering wireless signals that affect network performance.
The lack of strong WiFi security controls in place for in-store wireless networks creates another significant PCI compliance challenge. Strong WiFi security options are often not available with legacy, application-specific mobile computers common in retail environments, such as barcode scanners, phones and printers. In the case of open WiFi access for consumer smartphones, turning on wireless security is just not practical. Armed with the knowledge of security challenges retailers face and readily available tools, hackers can and have easily exploited in-store WiFi networks. In response, the PCI DSS in requirement 4.1.1 mandates WiFi devices connected to the card holder data environment must use strong encryption technology. To comply, legacy mobile computers may need to be replaced with newer models and open WiFi access for smartphones is not allowed. The only viable alternative to comply with PCI DSS requirement 4.1.1 is to use stateful firewall technology to segment legacy mobile computers and smartphones away from the cardholder environment. Such segmentation renders legacy mobile computers and smartphones out of scope of PCI since the cardholder data cannot be reached from the WiFi network. Merchants have the choice of installing any ICSA-certified firewall product to segment the WiFi connections or use WiFi networks with integrated role-based firewalls.
While there may be numerous ways for organizations to go about being PCI compliant, as a reference, here are three tips summarizing successful and cost-effective PCI compliance projects:
1. Look for overlay WiFi security solutions that preserve existing investments.
2. When the existing WiFi network needs to be replaced anyway, look for contemporary, multi-purpose network options. Then, quantify the side-effects of an upgraded infrastructure and how it may serve with other initiatives preventing additional purchases.
3. Quantify the benefit of security by including the costs of non-compliance -- higher interchange fees, fines, and costs of recovering from a breach.
Preventing WiFi backdoors is imperative to continuing and expanding mobility services in the retail environment, especially in this ever-expanding age of smart phones. Retailers have learned that implementation of necessary WiFi security controls can be a lot simpler and more affordable with integrated security options and can easily prevent the kind of problems that made PCI compliance important in the first place.