Revisions to the Payment Card Industry (PCI) Data Security Standard have tightened rules for processing credit cards over wireless LANs. Network engineers should think about
"PCI is just one of the many standards out there, particularly important for retail. But following PCI guidelines isn't a bad idea for any company," said Craig Mathias, principal of the Farpoint Group. "Information is all any organization has, and if you're not guarding it carefully, you're not going to have a competitive advantage for very long."
Organizations that process credits face many penalties if they fail to adhere to the standards, including heavy fines or a revocation of credit card processing rights. And of course there are major business consequences associated with a failure of compliance, such as the January 2007 breach at TJX Companies, where more than 45.7 million customers had their personal data -- including social security numbers and credit card information -- compromised, partly as a result of an unsecured wireless access point in one of TJX's stores.
Such access points are one of the main targets in this year's PCI compliance update, which largely clarifies existing rules while also focusing on some evolving security practices.
For example, starting March 31, new wireless implementations transmitting or connected to cardholder data are prohibited from implementing WEP encryption.
"This is not something that should be taken lightly," Mathias said.
And now that the holiday crush is over, retail IT pros can devote a little more of their time to making sure they are not the next cautionary PCI headline.
For Petco, staying compliant is a year-round game, with a dedicated compliance administrator tasked with reviewing the requirements and making sure the appropriate technical staff keep things in check.
The pet store giant has also found that staying ahead of the curve can ease the annual update rush while potentially saving some money, according to J. Smith, vice president of network and store systems for Petco.
"PCI compliance is a continuous process and an evolving process," Smith said, adding that Petco has been PCI compliant for three years. He said that the company, rather than engaging in a once-a-year rush, had broken down the compliance cycle into monthly, quarterly and annual segments to follow through with, some mandated by the standard and some designed to make sure that when the next standard is released, there are no major surprises and, more critically, no business interruptions.
And while Smith said that PCI compliance was a company-wide effort -- all employees need to be trained on proper data handling, for example -- much of the onus falls on the networking group.
To stay ahead of the evolving PCI standards, Smith relies in part on having the right vendors in place.
"All vendors are definitely not created equal," he said. "And all you have to do is ask your vendor where they stand in terms of upcoming compliance."
Petco, for example, decided to go with Aruba for its wireless networking needs, based in large part on its security-centric development cycle. Smith said Aruba's acquisition of Airwave was important to his vendor-selection process. Aruba's integration of Airwave into its technology has improved Petco's ability to do PCI compliance testing and reporting.
"We're really looking at Aruba as a seven-year-plus infrastructure partner for us, whether that be VoIP or increased security standards," he said, adding that Aruba's track record of software updates to improve compliance and security was also reassuring, reducing the chance of pricey rip-and-replace upgrades later on.
In addition to vendor partners, Smith also suggested taking a great deal of care when choosing an organization's auditing partner.
"Do they take a partnership approach where they give guidance on their interpretation of PCI?" he said. "Although there is a lot of black and white, there is still a lot of interpretation."
Networking professionals should also plan for the long haul with PCI compliance. Smith said that Petco always invests in equipment and procedures that exceed not only the requirements but also the recommended best practices, and that this has paid off monetarily over time.
"Make strategic decisions where you want to over-purchase and over-deploy, and buy x+1 or x+2 of [the standard]," he said. "You … may end up with … additional protection today, [and] it'll make future PCI protection that much easier."