Credit cards account for more than $2.5 trillion in transactions a year and are accepted at more than 24 million locations in more than 200 countries and territories. It is estimated that there are 10,000 payment card transactions made every second around the world.1
All organizations that accept payment cards are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). They must comply with this security standard whether or not they use wireless technology to process credit card data.
Organizations that are not PCI-compliant risk significant fines and other consequences. Noncompliance is established in several ways - for instance, through audits that find unsecured transactions or as a result of verified security breaches. The impact on profitability includes card replacement costs and customer fear, which can quickly lead to a damaged brand and lost sales, expensive forensic audits, lawsuits, and liability claim compensation.2
If becoming compliant seems like a costly upfront investment, consider that compliance is not only mandatory for any organization that handles payment card data, but also provides a useful, auditable framework within which an organization can actively and continuously pursue greater security for cardholder data and other data.
This paper aims to provide an understanding of PCI DSS and direction for a variety of different organizations in applying the criteria to wireless infrastructure, connectivity, size and current payment card security preparedness. Additionally, this paper will make recommendations for wireless security actions and architectures that organizations ought to employ in order to attain and maintain PCI compliance as the consequences of noncompliance intensify over time.
2. Perform scanning for rogue access points (access points)
3. Segment cardholder data from other network traffic
4. Maintain physical security of wireless devices
5. Enforce wireless usage policies
Let's look at each of these required steps in detail.
Maintaining a Hardware Inventory
Maintaining an inventory of the hardware infrastructure is an essential step in avoiding physical security breaches by malevolent outside parties or by internal personnel who bypass procedures. A hardware inventory also aids in the rapid detection of stolen or otherwise missing data.
Scanning for Rogue Access Points
PCI DSS requirement 11.1 states that an organization must test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. Requirement 11.1 goes on to note that methods that may be used in the process include, but are not limited to, wireless network scans, physical site inspection, network access control or wireless intrusion detection systems/intrusion prevention systems (IDS/IPS).
While you can use several methods to achieve this goal, we recommend the use of wireless IDS/IPS. The PCI DSS requirements state that it is essential to do regular scans (at least quarterly) to find out if rogue devices have been introduced into the network and to alert personnel. However, threats to network security are often not long-term conditions. These threats are likely to occur in between quarterly scans, creating the need to continuously scan for rogue access - that is, access by any device that has a wireless interface and that is not an intended part of the environment. You can further secure the environment by using automatic alerts and containment mechanisms. When you incorporate the Cisco® Wireless Control System (WCS) in your network, you gain the ability to understand and log potential network compromises. As Figure 1 shows, WCS scans for and categorizes rogue devices.
Figure 1. Using Cisco WCS to Track and Locate Rogue Devices
Other approaches include using wired side scanning tools. However, port scanning on the wired network is not enough, because it does not recognize "disguised" access points. What's more, the use of wired network port scanning requires organizations to go through a "compensating controls" process to seek approval by a Qualified Security Assessor or the company's Acquiring Bank for deviating from the standard. According to PCI DSS 2.0, Appendix B, "Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk..."
The only true way to identify rogue wireless access is by monitoring the wireless network. Page 10 of the PCI DSS Wireless Guideline4, released in June of 2009 states:
Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify some unauthorized wireless devices; however, they tend to have high false positive/negative detection rates. Wired network scanning tools that scan for wireless devices often miss cleverly hidden and disguised rogue wireless devices or devices that are connected to isolated network segments. Wired scanning also fails to detect many instances of rogue wireless clients. A rogue wireless client is any device that has a wireless interface that is not intended to be present in the environment.
Physical inspection is just as ineffective as port scanning, if not more ineffective. Wrongdoers can use ad-hoc wireless bridges and evil-twin access points to acquire cardholder data without physically attaching to the network. Also, physical inspection will do very little against reconnaissance activities or cracking tools that can lead to denial-of-service attacks.
Wireless analyzers can range from freely available PC tools to commercial scanners and analyzers. The goal of all of these devices is to "sniff" the airwaves, to "listen" for wireless devices in the area and identify them. Using this method, a technician or auditor can walk around each site and detect wireless devices. The person would then manually investigate each device to determine if it allows access to the Cardholder Data Environment (CDE) and classify them as rogues or friendly neighboring wireless devices. Although this method is technically possible for a small number of locations, it is often operationally tedious, error-prone, and costly for organizations that have several CDE locations. For large organizations, it is recommended that wireless scanning be automated with a wireless IDS/IPS system.
Although the PCI DSS standard does not directly state what the output of wireless analysis should be, it does imply that it should be created, reviewed often, and used to mitigate the risk of unauthorized or rogue wireless devices. At a minimum, the list of wireless devices should clearly identify all rogue devices connected to the CDE. To comply with the intent of PCI DSS requirement 11.1, companies should immediately eliminate the rogue threat in accordance with PCI DSS requirement 12.9 and rescan the environment at the earliest possible opportunity.
Segmenting Cardholder Data from Other Network Traffic
Interpreting the conditions you must meet to be fully compliant with PCI requirements can be complicated. This is especially true for the task of segmenting the wireless network. PCI DSS treats any data that is not completely separated from the CDE as relevant to an auditor's assessment of PCI compliance, or simply as "in scope." This means that an organization must completely segment any data that it prefers not to have included in a PCI compliance analysis.
In addition, PCI DSS mandates that if a wireless network is not in the scope of cardholder data, it must remain completely isolated from the CDE using a stateful firewall in order to block unauthorized users from accessing it. PCI DSS develops this instruction further by asserting that the firewall must "Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission."
Maintaining the Physical Security of Wireless Devices
While a network is considered to be secure when regular scanning is performed and a stateful firewall is implemented, an organization cannot claim complete security without physically protecting the network and doing everything possible to ensure that unauthorized individuals cannot access, change, or impair the data that is being transmitted.
To maintain the physical security of wireless data, you must have a person at each physical location who is responsible for checking if equipment has been tampered with or compromised in any way. This person must manually assess (utilizing vendor guidance) the security of the access points, wireless controllers, and any other physical pieces of the organization's WLAN.
This process can be simplified through vendor-supplied support tools that work in conjunction with mounted access points and controllers to allow customization of how the system grants user authorization, logs WLAN activity, and disables rogue devices. Cisco access points are easily mounted to ceilings and walls and are plenum rated, with the option to place the access point in the ceiling. Cisco mounting brackets block physical access to the reset button, Ethernet, and console ports.
Enforcing Wireless Security Policies
Specific recommendations in the PCI DSS for wireless usage policies include:
• Change default settings
• Use strong wireless authentication
• Use strong encryption when transmitting cardholder data
Cisco provides businesses with a PCI analysis toolset that is easily integrated into an organization's existing IT and security strategies. With one click, Cisco's Wireless Control System (WCS) can provide reports including information about devices and configurations, potential network gaps relative to PCI DSS requirements and prioritized recommended remediation plans for closing such gaps.
Finally, the WCS simplifies the process of defining access point placement and determining access point coverage areas during the initial wireless network deployment. This makes it easier to include security strategies as part of the rollout, and helps to ensure better coverage and a more secure network. WCS also identifies when pre-shared keys and passwords are being utilized.
Cisco access points have an added security feature that helps prevent breaches even if an attacker gains physical access to the device. If a Cisco access point is reset, the access point looks to the WLAN controller for configuration settings, rather than resetting to factory defaults. Factory default settings leave an access point vulnerable to attack by anyone who has access to the factory default credentials, which are readily available on the Internet.
Solution Architectures for Specific Organization Profiles
It is important to assess how an organization's network is deployed in order to understand the security architecture and management tools required to meet PCI compliance requirements. There are two circumstances that are most typical for organizations that accept payment cards and therefore need to protect the CDE.
Case 1: Using a Wireless Scanning Overlay When There Is No Wireless Transmission of Cardholder Data
Some organizations do not transmit cardholder data wirelessly but plan to achieve PCI compliance through a wireless scanning overlay solution. These organizations can protect cardholder data from out-of-scope devices by incorporating access points operating in monitor mode and using an appropriate controller. Without wireless scanning, out-of-scope devices would go unrecognized, potentially allowing cardholder data to be acquired.
Case 2; Securing the Wireless Network When Cardholder Data Is Transmitted Wirelessly When an organization transmits cardholder data wirelessly, there is an even greater need to monitor wireless traffic and help ensure that all (wired) cardholder data is segmented from wireless transmissions that may be infiltrated. In order to guarantee sufficient monitoring and reporting along with ample segmentation, an organization's wireless architecture would have to include:
• Access points, locally or centrally positioned or both
• Controllers (with sufficient IDS/IPS to maintain updated baselines and signatures to ensure optimal protection)
• Cisco Wireless Control System and Cisco Security Manager
• A stateful firewall
Cisco offers two firewall options certified to meet stateful firewall requirements: the Cisco ASA 5500 Series Adaptive Security Appliance and Cisco Integrated Services Routers running Cisco IOS® Security. Organizations can choose the option that best integrates with the existing network.
Wireless technology offers considerable advantages. However, if cardholder or point-of-sale (PoS) data is transmitted over a WLAN, the organization may need to be more vigilant than it would otherwise need to.
There are a number of ways in which your organization can protect customers and itself long term. Initially, an organization needs to understand that investing in appropriate wireless architecture will block opportunities for outside parties and malicious rogues to infiltrate the network. By following a Cisco validated design guide, your organization can help ensure that essential security, data gathering, and management instruments are available and applied correctly from the outset. In addition, if your organization relies on its wireless network to transmit data, you must have tools to simplify the management of wireless access and usage.
Providing Security Beyond PCI Compliance
PCI compliance is critical for any organization that processes credit card data. However, basic PCI compliance does not mean that customer data is 100 percent protected from those seeking to hack into a network and to steal card data for their own personal gain. Many organizations prudently choose to secure their wireless networks beyond the principal requirements set by the PCI DSS. In addition to Cisco access points, wireless controllers, the Cisco WCS. the Cisco Security Manager, a stateful firewall, organizations may want to include an adaptive wireless intrusion prevention system (wIPS) that resides on the Cisco Mobility Services Engine (MSE). Other security measures include additional monitor mode access points and Cisco CleanAir technology for performance protection and interference mitigation.
Any bundle of security-boosting products can be further enhanced through professional services. These services may include validated design guides, deployment assistance, and ongoing professional management. Working with an expert in the field allows for an efficient, consistent experience that can greatly simplify the PCI compliance process. Cisco offers a wide variety of professional services, including both wireless and security- related offerings.
By using Cisco's end-to-end solution, you can take advantage of the network to manage business opportunities efficiently and cost-effectively and to help ensure that the network and all employee, customer, and inventory data is protected. It is important to remember that networks are complex systems: even with high-quality individual components, the network will be neither secure nor compliant without having been planned and built correctly. Cisco validated designs include all of the tools and actions necessary for a company to proceed with confidence. A Cisco partner can expect recommended architectures for networks, as well as for payment data that is in-transit or stationary in the database. PCI audit and remediation partners can help with design guidance and audit reviews. In addition to creating the most up-to-date design and implementation guide to the tools for PCI compliance, Cisco will perform testing in a simulated environment along with configuration, monitoring, and authentication management systems. From simple overlay solutions to comprehensive wireless scanning, detection and eradication tools, Cisco is prepared to enable your organization's personalized PCI compliance toolset.