New PCI compliance rules ban WEP, tighten wireless LAN security

By Michael Morisy, News Writer 14 Jan 2009 | SearchNetworking.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

"PCI is just one of the many standards out there, particularly important for retail. But following PCI guidelines isn't a bad idea for any company," said Craig Mathias, principal of the Farpoint Group. "Information is all any organization has, and if you're not guarding it carefully, you're not going to have a competitive advantage for very long."

Organizations that process credits face many penalties if they fail to adhere to the standards, including heavy fines or a revocation of credit card processing rights. And of course there are major business consequences associated with a failure of compliance, such as the January 2007 breach at TJX Companies, where more than 45.7 million customers had their personal data -- including social security numbers and credit card information -- compromised, partly as a result of an unsecured wireless access point in one of TJX's stores.

More on PCI 1.2 Compliance WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2 PCI Security Standards Council Homepage SearchNetworking's Wireless Security Home

Such access points are one of the main targets in this year's PCI compliance update, which largely clarifies existing rules while also focusing on some evolving security practices.

For example, starting March 31, new wireless implementations transmitting or connected to cardholder data are prohibited from implementing WEP encryption.

"This is not something that should be taken lightly," Mathias said.

And now that the holiday crush is over, retail IT pros can devote a little more of their time to making sure they are not the next cautionary PCI headline.

For Petco, staying compliant is a year-round game, with a dedicated compliance administrator tasked with reviewing the requirements and making sure the appropriate technical staff keep things in check.

The pet store giant has also found that staying ahead of the curve can ease the annual update rush while potentially saving some money, according to J. Smith, vice president of network and store systems for Petco.

"PCI compliance is a continuous process and an evolving process," Smith said, adding that Petco has been PCI compliant for three years. He said that the company, rather than engaging in a once-a-year rush, had broken down the compliance cycle into monthly, quarterly and annual segments to follow through with, some mandated by the standard and some designed to make sure that when the next standard is released, there are no major surprises and, more critically, no business interruptions.

And while Smith said that PCI compliance was a company-wide effort -- all employees need to be trained on proper data handling, for example -- much of the onus falls on the networking group.

To stay ahead of the evolving PCI standards, Smith relies in part on having the right vendors in place.

"All vendors are definitely not created equal," he said. "And all you have to do is ask your vendor where they stand in terms of upcoming compliance."

Petco, for example, decided to go with Aruba for its wireless networking needs, based in large part on its security-centric development cycle. Smith said Aruba's acquisition of Airwave was important to his vendor-selection process. Aruba's integration of Airwave into its technology has improved Petco's ability to do PCI compliance testing and reporting.

"We're really looking at Aruba as a seven-year-plus infrastructure partner for us, whether that be VoIP or increased security standards," he said, adding that Aruba's track record of software updates to improve compliance and security was also reassuring, reducing the chance of pricey rip-and-replace upgrades later on.

In addition to vendor partners, Smith also suggested taking a great deal of care when choosing an organization's auditing partner.

"Do they take a partnership approach where they give guidance on their interpretation of PCI?" he said. "Although there is a lot of black and white, there is still a lot of interpretation."

Networking professionals should also plan for the long haul with PCI compliance. Smith said that Petco always invests in equipment and procedures that exceed not only the requirements but also the recommended best practices, and that this has paid off monetarily over time.

"Make strategic decisions where you want to over-purchase and over-deploy, and buy x+1 or x+2 of [the standard]," he said. "You … may end up with … additional protection today, [and] it'll make future PCI protection that much easier."

Tags: Network Security Best Practices and Products,  WLAN Security,  Wireless Network Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices WLAN Security Where can I find a wire driver that unblocks recognized passwords? Will using a VPN protect me against fake wireless hotspots? Fluke gets WLAN design, management, security cred with AirMagnet Is WPA2 secure enough for a commercial business wireless network? Health center cut cost securing wireless network edge with Aerohive Wi-Fi RTLS for WLAN management, location-based security, asset tracking Wireless LAN performance management and security standards beefed up How can I hide my WLAN's SSID in an Aruba AP-61? Wireless LAN security: SonicWall joins crowded WLAN market Stolen laptop recovery using remote access and wireless network SSIDs Wireless Network Security How to lock wireless routers Rogue access points: Preventing, detecting and handling best practices Securing embedded 802.11n devices How wireless network encryption affects signal strength, connectivity Best practices for securing your wireless LAN IEEE 802.11w protects wireless LAN management frames How can I be sure no one is hijacking or hacking my WAP? Build Your Own Security Lab: Securing Wireless Systems Why wireless network cards show activity when no one uses the computer What are recent security developments for MIPv6?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary