Nothing New In "New" PCI Wireless Guidelines

Retailers fearful of having cardholder data swiped from their wireless networks won't, unfortunately, find any new and magical cures within the new guideline published by the PCI Security Standards Council (PCI SSC) July 16. Indeed, the document's authors concede they didn't come up with any requirements that weren't already included in the existing PCI standards. Then again, given an understanding between PCI and retailers, they really weren't allowed to come up with anything new.

That understanding is that PCI won't materially change for two years after its issued and the next update isn't due until late next year. This way, retailers can make technology decisions based on current PCI rules without worrying about them changing every few months.

But if there's any area where retailers would want more security standardization rules—or at least much more specific and realistic rules—it's clearly wireless security. To be fair, that's a very tall order and the nature of both wireless security and the PCI Council virtually make it impossible.

Many would argue that wireless security is an oxymoron, that the very nature of wireless communication makes secure transmissions unlikely. The very act of scanning for rogue networks in a crowded mall is fairly futile, for example, given the huge number of legitimate networks that are routinely added by retail neighbors.

At the same time, the nature of the PCI Council also makes such specific and practical advice difficult, given that its rules must apply to everyone from Wal-Mart to the one-location Phil's Hoagies Shop down the street. To have rules that will apply to all forces its guidelines to be somewhat generic, leaving it up to IT management at each chain—in consultation (and sometimes knockdown-dragout fights) with their assessor—to work out the details that make sense for that chain.

Factoring that in, it's not realistic to expect national all-chain guidelines from PCI—especially during a part of the calendar where they are not permitted to make any substantive changes—to materially address the wireless security question. But the group at least tried to consolidate all of its disparate wireless rules into one document, giving wireless managers a fighting chance of playing by the PCI rules.

"It contains no changes to the PCI standard at all and the only thing really interesting about it is that they felt the need to issue it," said David Taylor, founder of the PCI Knowledge Base, a former Gartner analyst and PCI Columnist for StorefrontBacktalk. (See Taylor's more detailed analysis of what's good about the new PCI wireless document in this week's column.) "They recognized the confusion out there."In explaining its reason for creating the 33-page document, the PCI council’s Special Interest Group (SIG) on wireless technologies said its goal was "to help organizations understand how PCI DSS applies to wireless environments, how to limit the PCI DSS scope as it pertains to wireless and practical methods and concepts for deployment of secure wireless in payment card transaction environments."

Troy Leach, technical director of the PCI SCC, said there was an obvious need to gather together and better explain the many references to wireless security that are sprinkled throughout the PCI DSS. "When someone says `wireless technology and PCI,' most people go to section 4.1 of the standard, which goes into transmitting cardholder data over a wireless network," Leach said. "But they might overlook the fact that throughout the 12 domains of the PCI standard there are (other) references to wireless."

The PCI DSS Wireless Guideline is, in essence, "a set of shared concepts that everyone can use, be they merchants, network processors, IT departments or assessors, so everybody is kind of using the same language," said VeriFone Director of Product Security Doug Manchester, who served as the chairman of the SIG. For example, the document specifies what the PCI DSS considers to be "in scope" and "out of scope" when it comes to a wireless network and PCI. Manchester noted that, while a network that doesn't intentionally broadcast any cardholder data over a WAN is considered out of scope, the guideline "goes to great length to say you can't be wireless agnostic or unaware" because it is easy for somebody to install a rogue wireless card or access point into a network and compromise the system security.

To that point, Taylor and others note that the new guideline, while pointing out the danger of rogue wireless devices being installed, "is explanatory but could be more explanatory and more helpful" to companies intent on preventing them.

Even so, some retail IT executives were underwhelmed by the guideline. One, requesting anonymity, said it would be "onerous" for most companies to conduct quarterly scans of all their facilities, using wireless signal sniffers, in an effort to unearth rogue access points. As pointed out by others years ago, these scans tend to raise all sorts of false alarms that take time to track down, especially if the scanned facility is in an urban area full of external Wi-Fi networks. The IT executive also contended any smart hacker wouldn't allow the rogue access point to broadcast its SSID or even be run in anything other than a response-only mode.

Manchester said he expected such critiques of the guideline. If nothing else, the guideline helps make companies aware of the dangers, he said. "Criticisms are going to exist no matter how many referees you put on the playing field and how many video replays you have," Manchester said. "I think the guideline helps with this common vocabulary and it helps give people mental models they can share."