Dcument purpose - This document provides guidance and installation suggestions for testing and/or deploying 802.11 Wireless Local Area Networks (WLAN) for organizations that require Payment Card Industry's Data Security Standard (PCI DSS) v1.2 compliance. The goal is to help organizations understand how PCI DSS applies to wireless environments, how to limit the PCI DSS scope as it pertains to wireless, and practical methods and concepts for deployment of secure wireless in payment card transaction environments.
July 2009 Archives
In an era of consumerism, physician group practices are looking for ways to improve customer service and gain loyalty. So when surveys of patients at Springfield (Ill.) Clinic revealed dissatisfaction with the time-consuming, inefficient check-in process, CIO James Hewitt decided to take action.
Hewitt determined that installing self-service kiosks could help resolve the problem. But when he shopped for devices, he was disappointed with what he found. The hardware was too costly and took too long to implement, he says. And, more important, the kiosks did not integrate well with practice management and electronic health record software.
So he took the extraordinary step of working with two vendors as a co-developer of new kiosk technology. In this way, he was able to build into the kiosk every feature he desired and roll out the devices at a deep discount. Special features include new technology that uses palm scanning for patient identification. The 195-physician multi-specialty practice, which has two dozen locations in Central Illinois, expects to install as many as 50 kiosks this year after recently testing the hardware at one location. "At our test site, we're seeing, on average, three pieces of registration information changed by patients," Hewitt says. For example, patients are entering new information about their employer, insurer, mailing address or emergency contact. In addition to the development and testing efforts at Springfield Clinic, George Washington University Medical Faculty Associates, Washington, D.C., is serving as a beta site for the kiosks. Springfield Clinic collaborated on the project with Tokyo-based Fujtisu Ltd., which manufactures the hardware, and Allscripts-Misys Healthcare Solutions Inc., Chicago, which markets the devices. Hewitt and several members of his I.T. team did much of the software development work. The CIO has expertise in this arena, having formerly served as CIO at Allscripts. "I wanted it to look like an airport check-in kiosk with big buttons," Hewitt says. The kiosks have 19-inch touch-screen monitors that patients use to make selections or type in information. EHR Interface The kiosks link to both Springfield Clinic's EHR system from Allscripts and its practice management software from GE Healthcare, Waukesha, Wis. When patients initially register to use the kiosks, they can use the Fujitsu palm scanner technology or just scan their credit card or other identification card. The biometric technology uses near-infrared light to capture a patient's palm vein pattern, generating a template that is then matched against a database of enrolled users' palm-vein patterns. The palm scanners "give the patient a sense of added security for their records," Hewitt says. "And they have that coolness factor." The kiosks also have a camera to capture a photo that's displayed every time a patient signs in. The photo is included in the patient's electronic record. In addition to confirming all scheduled appointments for the day, the kiosks, by linking to electronic records, show reminders, such as the need to slate an eye exam or schedule attendance at a prevention program. Users can update demographic information and make co-payments using a credit card. "The kiosk will even tell you if you are in the wrong location and print out directions to the right one," Hewitt says
Projections that showed there would be 2,500 retail clinics operating by 2010 are coming up short as the industry has seen more clinic closings than openings in recent months.
MinuteClinic, the first and largest retail clinic chain, now owned by CVS, closed 100 of its clinics for the summer, leaving 452. In two years, the number of clinics housed in Wal-Mart dropped from almost 80 to 30. The retail giant recently acknowledged it would not reach the goal it set in 2007: having 400 retail clinics in operation by 2010.
- See related content
- E-mail - Print - Write a letter
Despite high satisfaction among patients who use retail clinics, investors have found the industry is slow to turn a profit. Many clinics were forced to close when they ran out of cash and were unable to shoulder the financial losses.
Analysts say the current dip doesn't mean the demise of the industry. But it may indicate it's time to change strategy.
Many analysts believe the key to sustainability will be clinics partnering with hospitals that are better prepared to shoulder the initial losses. Clinics also can build on hospital name recognition to attract more patients.
There are about 1,100 retail clinics nationwide.
But the downside is that hospitals move much more slowly than capital investment firms, leading to a drastic slowdown in opening new clinics. In addition, the recession has forced some hospitals to scale back plans for clinics, or choose between funding clinics or other capital projects.
When Wal-Mart first entered the retail clinic market, its strategy was to partner with venture capital-backed chain operators for whom Wal-Mart served solely as the landlord. After RediClinic shut down 15 of its Wal-Mart clinics in 2008 and other independent chains followed suit, Wal-Mart shifted gears and said it would partner with hospital groups.
Its plan was to have 400 hospital-affiliated clinics open by 2010. Half of the clinics were expected to open through a deal with RediClinic, which also cited the benefits of co-branding with hospital groups.
Bruce Shepard, director of health business relationship development for Wal-Mart, said the company decided that hospital partnerships would lead to a more sustainable business model. He said more hospitals are willing to take on the initial financial loss as part of an overall marketing strategy focused on access to care. The clinics can serve as an entry point for new patients to eventually become connected to primary care physicians.
But, Shepard said, the company underestimated the time it would take to get the clinics up and running. "As we learned more and more about the process and the time that it takes to get clinics to fruition with hospitals and health systems, generally, I think that's when we saw that [while] we're still committed to the [400] number, it's going to take a little bit longer."
Partnerships moving slowly
Paul Storey, vice president of physician services for Northwest (Arkansas) Health System, said the hospital system jumped at the chance to open clinics in two of the former RediClinic sites. But it is moving slowly on opening more clinics.
"This is kind of a new business for us, so we are constantly tinkering with how to do things and what to do and how to refine it," he said.
Northwest, which is part of Community Health Systems, has been analyzing locations for new clinics since March. Storey said it is looking at how to make the clinics a success before expanding in that area.
Shepard said that's the case with many of Wal-Mart's potential hospital partners. But he is still getting calls from health systems interested in entering the market. "They see the value and they're wanting to move forward, but ... it's a calculated risk."
Mary Kate Scott, principal of the Marina del Rey, Calif.-based consulting firm Scott & Co., authored a study in 2006 projecting 2,500 retail clinics by 2010. There are now about 1,100 nationwide.
At the time of the study, venture capital firms were still driving much of the growth. These investors not only underestimated the time it would take to turn a profit, Scott said, but they also underestimated the value of marketing. "I am very surprised it's taken that long to market these clinics."
It also takes time -- up to 36 months -- for hospitals to build a new clinic. Still, the partnering strategy makes sense, she said.
Just as hospitals enter the market with the goal of a long-term relationship with that community, so does a retailer like Wal-Mart. "You're actually creating a relationship with someone that could last 30, 40 or 50 years. So why wouldn't you think it would take 18 to 36 months?" Scott said.
Tom Charland, president and CEO of Merchant Medicine, a Shoreview, Minn.-based retail clinic consultancy firm, agreed the hospital-partnered model has the greatest chance of success. But he cautioned that it's not fail-proof.
Hospitals hoping for success must have their physicians behind the idea, he said. If the clinics are to be an extension of the health care delivery strategy, physicians must be willing to work with clinic operators on coordinating care.
But extending the delivery system too far can lead to failure. Aurora Health Care in Milwaukee, for example, had 19 clinics at one time. It's now down to 10.
Aurora did not comment by this article's deadline. But Charland said there was too much saturation in the market, especially after Take Care Health Systems entered the Milwaukee area.
"I think we'll see the slowdown last a couple of years," Charland said. "But I think once some of the things are sorted out with health care and the economy has turned around ... we'll see some shifting, and I think it'll be positive for this industry."
By Pamela Lewis Dolan, AMNews staff. Posted July 27, 2009.
Article covering wireless transaction and protocols in context of PCI compliance. Amazing that 11% use WPA2. Gist of article is that many companies have WEP hardware and need a "blanket" to wrap it is in order to secure PCI compliance.
July 9, 2009 - TLC-Chamonix, LLC (TLC) unveils its WirelessWall POS Architecture for wireless Point of Sale Terminals. It helps retailers achieve PCI DSS compliance by combining AES encryption, firewall, AAA and end-to-end security in a standards compliant software solution. Now, WEP or even Open wireless POS terminals and Access Points can have WPA2-Enterprise level security without changing any terminals, firmware or replacing network gear. WirelessWall saves time, saves money, and helps makes you achieve PCI DSS 1.2 network compliance.
The award winning WirelessWall secures wireless and wired infrastructures to provide a transparent instant upgrade to standards compliant, certified (FIPS 140-2) strong security with access controls, allowing business applications and operations to continue undisturbed. It offers peace of mind with better protection, auditability, compliance, and loss prevention, while avoiding the cost of new equipment, new leases and downtime.
Industry Initiative
Faced with the prospect of billions of dollars in losses and lawsuit settlements, the retail industry is finally taking serious measures at self-regulation to protect merchants and consumers from wireless security breaches. Consider:
• 2009 TJX, the parent company of TJ Maxx, Marshalls and other retailers, paid a $9.8M settlement to 41 states after a $40.9M settlement to Visa for wireless POS breaches. It absorbed over $135 million loss from its 2007 incidents alone.
• 2008 breaches identified by the Identity Theft Resource Center-breaches totaled 449 with over 22 million records exposed. (That's more than all breaches in 2007 and the individual record count is climbing and will exceed 2007 as well)
• 2007 breaches totaled 448 paper and electronic breaches with 127 million records exposed.
• 2006 breaches totaled 315 affecting nearly 20 million individuals.
• 2005 breaches totaled 158 affecting more than 64.8 million people.
The Payment Card Industry (PCI) is a consortium of worldwide credit card companies (Visa, MasterCard, American Express, Discover and JCB International). To confront and mitigate these mounting losses, and faced with imminent regulation by state and federal agencies plus penalties for violating existing privacy laws, they formed a Security Standards Counsel which implemented a Data Security Standard (PCI DSS) to preemptively control the problem.
PCI DSS - A New World Order
The new edition of the standard mandates improved wireless security practices and drops the broken Wired Equivalency Protocol (WEP) as an approved method, in favor of protocols using strong encryption such as AES. See: PCI DSS 1.2
PCI DSS is not merely a set of recommendations -- non-compliance is not an option. It is a contractual obligation which demands all retail merchants big and small to comply as a condition of being allowed to continue processing credit cards and consumer information via electronic Point of Sale (POS) terminals or other wireless methods.
According to mandate, retailers may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010.
Impact Assessment
Naturally, this has enormous significance to operations and the bottom line of retailers. Perhaps just as great is the cost to POS terminal vendors, who have a large inventory of WEP-only wireless terminals that are often leased to merchants. They stand to lose considerable sums replacing or retrofitting equipment at costs which cannot easily be passed on to merchants, especially in a bad recession.
In these difficult times, vendors and merchants alike need a lower cost, easy to deploy solution that scales from small business to large enterprises with least impact.
WEP Dominates
The mandate bans the use of WEP, but it still dominates and others like WPA2 are poorly adopted. An Airtight 2009 Financial Districts Survey of 3,632 access points in major cities found half were Open or used WEP security. It concluded:
• Everybody who knows security knows WEP is broken, but it still dominates.
• Some used WPA, which had a crack demonstrated in Tokyo in 2008.
• Others hide SSIDs which doesn't protect traffic captured by wireless sniffers.
• 39% were "enterprise" APs (corporate HQs, offices, etc.)
• Only 11% used WPA2
Even worse than this news is that of the tiny few organizations using WPA2, almost all have implemented pre-shared keys (WPA2-PSK) which has well known dictionary cracks, like CoWPAtty that can crack it in seconds - in many ways, making it worse than WEP.
Why Fix Something that Isn't Broken?
The abysmal failure of WPA2 to gain widespread adoption has not prompted the industry to question why (almost) no one is using it. Serious debate and changes in the telecommunications industry to adopt better technology and new standards will be needed before WEP is entirely eliminated.
WEP is still pervasive in large part because wireless equipment manufacturers and industry groups failed to take decisive action to totally replace it and continue to manufacture equipment that supports it. WPA2 is still a security configuration option (and alphabetically WEP is first in most lists). Many users are simply unaware of the difference.
There is also the reluctance to switch from existing protocols until there is an incident that demands it. This translates to the maxim: Why fix something that isn't broken? Unfortunately, this common sense rule can be very costly when applied to security. WEP is broken, but most users don't know it. The feeling is that if WEP weren't "good enough", why would the protocol still be supported by network equipment?
Consumer awareness is one aspect. Even among the technically knowledgeable, there is little appreciation of the distinction between WPA, WPA2-PSK and the only truly strong protocols: WPA2-Enterprise. All others suffer risk of Man-In-The-Middle attacks, brute-force guessing, or key exchange compromises. The dictionary vulnerability risk of WPA2-PSK can be more vulnerable than WEP.
WPA2-Enterprise is the best solution, but many businesses just don't have back-end RADIUS authentication and LDAP identity management servers or IT with the level of knowledge required to use them, so they accept the risk
The WirelessWall Architecture
WirelessWall is a government certified (FIPS 140-2) wireless security suite used by the military and DoE. Renowned for its investment protection value, WirelessWall adds WPA2-Enterprise grade protection to the current network as a software-only solution instead of replacing legacy wireless hardware and firmware. The DoD 8100-2 directive is mandate for federal and state governments to provide standards based end-to-end strong security. WirelessWall satisfies this directive and was assessed by the Joint Interoperability Testing Center (JITC) for use by Coalition Forces. This high level of protection is now being used to benefit the private sector and retail to eliminate hacking or sniffing end-to-end.
Even if terminals and WiFi gear only support WEP or no security at all, WirelessWall adds a blanket of strong encryption without any reconfiguration. Because it bundles WiFi AES encryption with RADIUS, LDAP and Firewall Policies all in one package.
This solution allows you to meet the compliance requirements listed below.
Table 1 - PCI DSS 1.2 Compliance
PCI DSS Mandate Requirements
Install and maintain a firewall configuration to protect cardholder data 1.1, 1.2, 1.3, 1.4, 1.5
Do not use vendor-supplied defaults for system passwords and other security parameters 2.1, 2.2, 2.3
Encrypt transmission of cardholder data across open, public networks 4.1, 4.2
Develop and maintain secure systems and applications 6.1, 6.2, 6.3, 6.5
Additionally, it is simpler to deploy and administer, and more cost effective than having those in a separate back-end (although it will support external services if needed). WirelessWall supports all wireless gear: all 802.11 protocols, WiMax 802.16e, Mesh and 4G. Using WirelessWall gives you everything for a fraction of the cost and none of the inconvenience of alternatives.
Contact: TLC-Chamonix, LLC
120 Village Square Suite
11 Orinda , CA 94563, USA
Phone : 877-479-4500
E-Mail:[email protected]
http://wirelesswall.com/
http://wirelesswall.com/markets/pos/POS-mandate-brochure.pdf
The award winning WirelessWall secures wireless and wired infrastructures to provide a transparent instant upgrade to standards compliant, certified (FIPS 140-2) strong security with access controls, allowing business applications and operations to continue undisturbed. It offers peace of mind with better protection, auditability, compliance, and loss prevention, while avoiding the cost of new equipment, new leases and downtime.
Industry Initiative
Faced with the prospect of billions of dollars in losses and lawsuit settlements, the retail industry is finally taking serious measures at self-regulation to protect merchants and consumers from wireless security breaches. Consider:
• 2009 TJX, the parent company of TJ Maxx, Marshalls and other retailers, paid a $9.8M settlement to 41 states after a $40.9M settlement to Visa for wireless POS breaches. It absorbed over $135 million loss from its 2007 incidents alone.
• 2008 breaches identified by the Identity Theft Resource Center-breaches totaled 449 with over 22 million records exposed. (That's more than all breaches in 2007 and the individual record count is climbing and will exceed 2007 as well)
• 2007 breaches totaled 448 paper and electronic breaches with 127 million records exposed.
• 2006 breaches totaled 315 affecting nearly 20 million individuals.
• 2005 breaches totaled 158 affecting more than 64.8 million people.
The Payment Card Industry (PCI) is a consortium of worldwide credit card companies (Visa, MasterCard, American Express, Discover and JCB International). To confront and mitigate these mounting losses, and faced with imminent regulation by state and federal agencies plus penalties for violating existing privacy laws, they formed a Security Standards Counsel which implemented a Data Security Standard (PCI DSS) to preemptively control the problem.
PCI DSS - A New World Order
The new edition of the standard mandates improved wireless security practices and drops the broken Wired Equivalency Protocol (WEP) as an approved method, in favor of protocols using strong encryption such as AES. See: PCI DSS 1.2
PCI DSS is not merely a set of recommendations -- non-compliance is not an option. It is a contractual obligation which demands all retail merchants big and small to comply as a condition of being allowed to continue processing credit cards and consumer information via electronic Point of Sale (POS) terminals or other wireless methods.
According to mandate, retailers may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010.
Impact Assessment
Naturally, this has enormous significance to operations and the bottom line of retailers. Perhaps just as great is the cost to POS terminal vendors, who have a large inventory of WEP-only wireless terminals that are often leased to merchants. They stand to lose considerable sums replacing or retrofitting equipment at costs which cannot easily be passed on to merchants, especially in a bad recession.
In these difficult times, vendors and merchants alike need a lower cost, easy to deploy solution that scales from small business to large enterprises with least impact.
WEP Dominates
The mandate bans the use of WEP, but it still dominates and others like WPA2 are poorly adopted. An Airtight 2009 Financial Districts Survey of 3,632 access points in major cities found half were Open or used WEP security. It concluded:
• Everybody who knows security knows WEP is broken, but it still dominates.
• Some used WPA, which had a crack demonstrated in Tokyo in 2008.
• Others hide SSIDs which doesn't protect traffic captured by wireless sniffers.
• 39% were "enterprise" APs (corporate HQs, offices, etc.)
• Only 11% used WPA2
Even worse than this news is that of the tiny few organizations using WPA2, almost all have implemented pre-shared keys (WPA2-PSK) which has well known dictionary cracks, like CoWPAtty that can crack it in seconds - in many ways, making it worse than WEP.
Why Fix Something that Isn't Broken?
The abysmal failure of WPA2 to gain widespread adoption has not prompted the industry to question why (almost) no one is using it. Serious debate and changes in the telecommunications industry to adopt better technology and new standards will be needed before WEP is entirely eliminated.
WEP is still pervasive in large part because wireless equipment manufacturers and industry groups failed to take decisive action to totally replace it and continue to manufacture equipment that supports it. WPA2 is still a security configuration option (and alphabetically WEP is first in most lists). Many users are simply unaware of the difference.
There is also the reluctance to switch from existing protocols until there is an incident that demands it. This translates to the maxim: Why fix something that isn't broken? Unfortunately, this common sense rule can be very costly when applied to security. WEP is broken, but most users don't know it. The feeling is that if WEP weren't "good enough", why would the protocol still be supported by network equipment?
Consumer awareness is one aspect. Even among the technically knowledgeable, there is little appreciation of the distinction between WPA, WPA2-PSK and the only truly strong protocols: WPA2-Enterprise. All others suffer risk of Man-In-The-Middle attacks, brute-force guessing, or key exchange compromises. The dictionary vulnerability risk of WPA2-PSK can be more vulnerable than WEP.
WPA2-Enterprise is the best solution, but many businesses just don't have back-end RADIUS authentication and LDAP identity management servers or IT with the level of knowledge required to use them, so they accept the risk
The WirelessWall Architecture
WirelessWall is a government certified (FIPS 140-2) wireless security suite used by the military and DoE. Renowned for its investment protection value, WirelessWall adds WPA2-Enterprise grade protection to the current network as a software-only solution instead of replacing legacy wireless hardware and firmware. The DoD 8100-2 directive is mandate for federal and state governments to provide standards based end-to-end strong security. WirelessWall satisfies this directive and was assessed by the Joint Interoperability Testing Center (JITC) for use by Coalition Forces. This high level of protection is now being used to benefit the private sector and retail to eliminate hacking or sniffing end-to-end.
Even if terminals and WiFi gear only support WEP or no security at all, WirelessWall adds a blanket of strong encryption without any reconfiguration. Because it bundles WiFi AES encryption with RADIUS, LDAP and Firewall Policies all in one package.
This solution allows you to meet the compliance requirements listed below.
Table 1 - PCI DSS 1.2 Compliance
PCI DSS Mandate Requirements
Install and maintain a firewall configuration to protect cardholder data 1.1, 1.2, 1.3, 1.4, 1.5
Do not use vendor-supplied defaults for system passwords and other security parameters 2.1, 2.2, 2.3
Encrypt transmission of cardholder data across open, public networks 4.1, 4.2
Develop and maintain secure systems and applications 6.1, 6.2, 6.3, 6.5
Additionally, it is simpler to deploy and administer, and more cost effective than having those in a separate back-end (although it will support external services if needed). WirelessWall supports all wireless gear: all 802.11 protocols, WiMax 802.16e, Mesh and 4G. Using WirelessWall gives you everything for a fraction of the cost and none of the inconvenience of alternatives.
Contact: TLC-Chamonix, LLC
120 Village Square Suite
11 Orinda , CA 94563, USA
Phone : 877-479-4500
E-Mail:[email protected]
http://wirelesswall.com/
http://wirelesswall.com/markets/pos/POS-mandate-brochure.pdf
The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world. There are two major benefits to moving to smart card based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "offline" credit card transaction approvals
So someone asks you -- is your kiosk EMV L2, or more specifically are your devices Level 2...
Here are some definitions.
EMV Level 1 covers the electrical and physical interfaces, and the transmission of data, between the terminal and the card. There is an extensive EMVCo defined level 1 approval process, which requires every card reader to have completed laboratory type approval before they can be used to perform EMV transactions. EMVCo also require this approval to be renewed at defined intervals to retain compliance.
EMV Level 2 covers the set of functions that provide all the necessary processing logic and data that is required to select and process a card application in order to perform an EMV transaction.
There is an extensive EMVCodefined level 2 approval process, which requires every EMV kernel to have completed laboratory type approval before they can be used to perform EMV transactions. EMVCo also require this approval to be renewed at defined intervals to retain compliance.
There is an extensive EMVCodefined level 2 approval process, which requires every EMV kernel to have completed laboratory type approval before they can be used to perform EMV transactions. EMVCo also require this approval to be renewed at defined intervals to retain compliance.
There are no level 2 certified Card Readers for example. They are all Level 1. There are however Level 2 kernels.
Reference EMVCO link
Level 2 Contact Approved Application Kernels - Within 2 Years
EMV 4.0 Approvals Within the Past Two Years
The following list contains application kernels for which EMVCo has approved the first configuration within the past two years.
EMVCo Terminal Type Approval Level 2 addresses the conformance of the terminal resident application software in whole or in part that supports the required and optional EMV specification functionality.
EMVCo is pleased to announce the following Vendors Application Kernels have received EMVCo Terminal Type Level 2 approval according to EMV 4.0.
489 Approved Kernel Configurations/140 Vendors
The EMVCO site also lists devices which meet the EMV L1 certs.
http://www.emvco.com/approvals.aspx?id=84#S
Level 1 Contact Approved Interface Modules EMVCo Type Approval Level 1 addresses the conformance of Interface Modules (IFM) to the EMV defined set of electrical, mechanical and communication protocol characteristics. EMVCo is pleased to announce the following vendors' interface modules (IFMs) have received EMVCo Terminal Level 1 approval according to EMV 4.0 specifications. For further details regarding these products, including the test result summary, please contact the relevant vendor. You may also contact the EMVCo via communication facility found on this website. Please go to the home page and select "Contact Us" and follow the prompts to submit your query. Please note that an IFM marked with an asterisk (*) has some restrictions. These restrictions are listed on the first page of the LOA. Contact the vendor to retrieve a copy of the LOA. 661 IFM Approvals/242 Vendors