Securing the Cardholder Data Environment
Payment Security is a Shared Responsibility
As organizations begin to take advantage of mobile payment capabilities and wireless technology to improve operations and gain a competitive edge, the number one goal of your payment processor is to help keep you and your data safe and secure — but all participants must work together to produce that result. According to the Payment Card Industry Security Standards Council (PCI SSC), risks in wireless networks are essentially equal to the sum of the risk of operating a wired network plus the new risks introduced by weaknesses in wireless protocols.
Mobile payment acceptance at the point of sale offers growth opportunities for all kinds of businesses, but it’s important to understand how to reduce the potential for new risks to the security of cardholder data and to your business. Payment security has always been a shared responsibility — and the same holds true for maintaining security in the mobile landscape. Complying with the regulations known as the Payment Card Industry Data Security Standards (PCI DSS) will help you do your part to keep mobile payment processing safe.
Wi-Fi is the general term used as a synonym for “WLAN” which stands for wireless local area network. Wi-Fi technology allows an electronic device to exchange data or connect to the Internet using radio waves. It can be less secure than wired connections (such as Ethernet) because an intruder doesn’t need a physical connection in order to gain access and unencrypted Internet access can be easily detected by intruders.
Wi-Fi Encryption Technology
Various encryption technologies exist for Wi-Fi. The early encryption protocol standard, WEP, proved easy to break, so higher quality protocols Wireless Protected Access (WPA) and WPA2 were later developed. As the name suggests, WPA2 is a second, newer version of WPA security and access control technology. WPA2 has been available on all certified Wi-Fi hardware since 2006 and was an optional feature on some products before that. It is designed to improve the security of Wi-Fi connections by requiring use of stronger wireless encryption than WPA requires. Specifically, WPA2 does not allow use of an algorithm called TKIP (Temporal Key Integrity Protocol) that has known security limitations.
Most wireless routers for home networks support both WPA and WPA2 and administrators must choose which one to run. WPA2 is the simpler, safer choice but some IT professionals point out that using WPA2 requires Wi-Fi hardware to work harder in running the more advanced encryption algorithms, which can theoretically slow down the network’s overall performance compared to running WPA.
Like WPA, WPA2 provides Wi-Fi users with a high level of assurance that their data will remain protected and that only authorized users can access their wireless networks with these PCI DSS compliant solutions.
Securing Your Data and Securing Your Device — Merchant Requirements for PCI DSS Compliance
PCI DSS requires merchants to protect cardholder data and any payment card information, whether it is printed, processed, transmitted or stored. It requires organizations to extend the same level of security from the wired network to the wireless network and provides specific guidelines as to how to protect point-of-sale data over the wireless network.
Additionally, as part of the terms of your merchant account agreement, all merchants should have secure Wi-Fi as it is defined and required by PCI DSS including, but not limited to the following:
- The merchant should ensure that only trusted individuals have access to the payment application and its associated environment.
- The mobile device should be stored in a secure location when it is not in use. The merchant should consider locking the mobile device to the merchant‘s physical location when possible. The merchant should place mobile devices in a location that offers the greatest level of security (less customer and employee access), observation, and monitoring when possible.
- Where data passes through a network under the merchant‘s control (e.g., Wi-Fi or Bluetooth®), ensure that the network is implemented as a secure network per PCI DSS Requirement 4 (See page 16 of the PCI DSS Quick Reference Guide).
What Is Required to Achieve PCI DSS Compliance?
If you transmit point-of-sale data over the wired or wireless network, you will need to meet the requirements as seen on page 23 of the PCI DSS Wireless Guidelines.
PCI DSS Requirement:
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
4.1.1 For wireless networks transmitting cardholder data or connected to the cardholder data environment, verify that industry best practices (for example, IEEE 802.11i) are used to implement strong encryption for authentication and transmission.
Note: The use of WEP as a security control was prohibited as of June 30, 2010.
How Do I Secure the Wireless Network?
In addition to protecting the wireless transfer of cardholder information, organizations must also secure and control physical access to the medium itself. Detailed information can be found in the supplemental document called PCI DSS Wireless Guidelines, the PCI SSC outlining the five areas that must be addressed to meet wireless requirements.
Why You Must Change Default Wi-Fi Passwords
Wireless router manufacturers set a default username and default password for the hardware at the factory, which must be changed immediately after installing the unit. The default passwords for popular models of wireless network gear are well-known to hackers and often posted on the Internet. Failure to change the password would allow anyone who knows the username and password to log in and gain complete access to the device’s features and information about any devices connected. Many experts recommend changing Wi-Fi passwords every 30 to 90 days and when you do so, choose wisely.
How to Increase Security with Good Passwords
Good passwords are ones designed to be less easily discovered by intelligent guessing. Proponents of software system security advocate the following guidelines:
- Use a minimum password length of 12 to 14 characters if allowed.
- Include lowercase and uppercase alphabetic characters, numbers and symbols if allowed.
- Generate passwords randomly where possible.
- Avoid using the same password twice as in multiple user accounts and/or software systems.
- Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, current or past romantic links and biographical information such as ID numbers, ancestors’ names or dates.
Wi-Fi Network Security
The PCI Security Standards Council reminds us that wireless networking is a concern for all organizations that store, process or transmit cardholder data and therefore must adhere to the PCI DSS and states the following key points:
- Even if an organization that must comply with PCI DSS does not use wireless networking as part of the Cardholder Data Environment, the organization must verify that its wireless networks have been segmented away from the CDE and that wireless networking has not been introduced into the CDE over time.
- Although the PCI DSS outlines requirements for securing existing wireless technologies, there are validation requirements that extend beyond the known wireless devices and require monitoring of unknown and potentially dangerous rogue devices.
- A rogue wireless device is an unauthorized wireless device that can allow access to the CDE. Wireless networks can be considered outside of PCI DSS scope if no wireless is deployed or if wireless has been deployed and segmented away from the CDE.
- Regardless of whether wireless networks have been deployed, periodic monitoring is needed to keep unauthorized or rogue wireless devices from compromising the security of the CDE.
- Segmenting wireless networks out of PCI DSS scope requires a firewall between the wireless network and the CDE.
PCI DSS Overview
PCI DSS requires merchants to protect cardholder data, whether it is printed, processed, transmitted or stored. It requires organizations to extend the same level of security from the wired network to the wireless network and provides specific guidelines as to how to protect point-of-sale data over the wireless network.
Cyber criminals continue to find new ways to acquire sensitive cardholder data and payment card security breaches are a constant concern. Complying with the PCI DSS payment card industry regulations will help you do your part to keep mobile payment processing safe.