Wireless transactions and PCI DSS 1.2 Compliance

Article covering wireless transaction and protocols in context of PCI compliance. Amazing that 11% use WPA2. Gist of article is that many companies have WEP hardware and need a "blanket" to wrap it is in order to secure PCI compliance. 

July 9, 2009 - TLC-Chamonix, LLC (TLC) unveils its WirelessWall POS Architecture for wireless Point of Sale Terminals. It helps retailers achieve PCI DSS compliance by combining AES encryption, firewall, AAA and end-to-end security in a standards compliant software solution. Now, WEP or even Open wireless POS terminals and Access Points can have WPA2-Enterprise level security without changing any terminals, firmware or replacing network gear. WirelessWall saves time, saves money, and helps makes you achieve PCI DSS 1.2 network compliance.

The award winning WirelessWall secures wireless and wired infrastructures to provide a transparent instant upgrade to standards compliant, certified (FIPS 140-2) strong security with access controls, allowing business applications and operations to continue undisturbed. It offers peace of mind with better protection, auditability, compliance, and loss prevention, while avoiding the cost of new equipment, new leases and downtime.

Industry Initiative
Faced with the prospect of billions of dollars in losses and lawsuit settlements, the retail industry is finally taking serious measures at self-regulation to protect merchants and consumers from wireless security breaches. Consider:

• 2009 TJX, the parent company of TJ Maxx, Marshalls and other retailers, paid a $9.8M settlement to 41 states after a $40.9M settlement to Visa for wireless POS breaches. It absorbed over $135 million loss from its 2007 incidents alone.
• 2008 breaches identified by the Identity Theft Resource Center-breaches totaled 449 with over 22 million records exposed. (That's more than all breaches in 2007 and the individual record count is climbing and will exceed 2007 as well)
• 2007 breaches totaled 448 paper and electronic breaches with 127 million records exposed. 
• 2006 breaches totaled 315 affecting nearly 20 million individuals. 
• 2005 breaches totaled 158 affecting more than 64.8 million people. 

The Payment Card Industry (PCI) is a consortium of worldwide credit card companies (Visa, MasterCard, American Express, Discover and JCB International). To confront and mitigate these mounting losses, and faced with imminent regulation by state and federal agencies plus penalties for violating existing privacy laws, they formed a Security Standards Counsel which implemented a Data Security Standard (PCI DSS) to preemptively control the problem.

PCI DSS - A New World Order
The new edition of the standard mandates improved wireless security practices and drops the broken Wired Equivalency Protocol (WEP) as an approved method, in favor of protocols using strong encryption such as AES. See: PCI DSS 1.2

PCI DSS is not merely a set of recommendations -- non-compliance is not an option. It is a contractual obligation which demands all retail merchants big and small to comply as a condition of being allowed to continue processing credit cards and consumer information via electronic Point of Sale (POS) terminals or other wireless methods. 

According to mandate, retailers may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010. 

Impact Assessment
Naturally, this has enormous significance to operations and the bottom line of retailers. Perhaps just as great is the cost to POS terminal vendors, who have a large inventory of WEP-only wireless terminals that are often leased to merchants. They stand to lose considerable sums replacing or retrofitting equipment at costs which cannot easily be passed on to merchants, especially in a bad recession. 

In these difficult times, vendors and merchants alike need a lower cost, easy to deploy solution that scales from small business to large enterprises with least impact.

WEP Dominates
The mandate bans the use of WEP, but it still dominates and others like WPA2 are poorly adopted. An Airtight 2009 Financial Districts Survey of 3,632 access points in major cities found half were Open or used WEP security. It concluded:

• Everybody who knows security knows WEP is broken, but it still dominates.
• Some used WPA, which had a crack demonstrated in Tokyo in 2008.
• Others hide SSIDs which doesn't protect traffic captured by wireless sniffers.
• 39% were "enterprise" APs (corporate HQs, offices, etc.)
• Only 11% used WPA2 

Even worse than this news is that of the tiny few organizations using WPA2, almost all have implemented pre-shared keys (WPA2-PSK) which has well known dictionary cracks, like CoWPAtty that can crack it in seconds - in many ways, making it worse than WEP.

Why Fix Something that Isn't Broken?
The abysmal failure of WPA2 to gain widespread adoption has not prompted the industry to question why (almost) no one is using it. Serious debate and changes in the telecommunications industry to adopt better technology and new standards will be needed before WEP is entirely eliminated.

WEP is still pervasive in large part because wireless equipment manufacturers and industry groups failed to take decisive action to totally replace it and continue to manufacture equipment that supports it. WPA2 is still a security configuration option (and alphabetically WEP is first in most lists). Many users are simply unaware of the difference.

There is also the reluctance to switch from existing protocols until there is an incident that demands it. This translates to the maxim: Why fix something that isn't broken? Unfortunately, this common sense rule can be very costly when applied to security. WEP is broken, but most users don't know it. The feeling is that if WEP weren't "good enough", why would the protocol still be supported by network equipment?

Consumer awareness is one aspect. Even among the technically knowledgeable, there is little appreciation of the distinction between WPA, WPA2-PSK and the only truly strong protocols: WPA2-Enterprise. All others suffer risk of Man-In-The-Middle attacks, brute-force guessing, or key exchange compromises. The dictionary vulnerability risk of WPA2-PSK can be more vulnerable than WEP.

WPA2-Enterprise is the best solution, but many businesses just don't have back-end RADIUS authentication and LDAP identity management servers or IT with the level of knowledge required to use them, so they accept the risk

The WirelessWall Architecture

WirelessWall is a government certified (FIPS 140-2) wireless security suite used by the military and DoE. Renowned for its investment protection value, WirelessWall adds WPA2-Enterprise grade protection to the current network as a software-only solution instead of replacing legacy wireless hardware and firmware. The DoD 8100-2 directive is mandate for federal and state governments to provide standards based end-to-end strong security. WirelessWall satisfies this directive and was assessed by the Joint Interoperability Testing Center (JITC) for use by Coalition Forces. This high level of protection is now being used to benefit the private sector and retail to eliminate hacking or sniffing end-to-end. 

Even if terminals and WiFi gear only support WEP or no security at all, WirelessWall adds a blanket of strong encryption without any reconfiguration. Because it bundles WiFi AES encryption with RADIUS, LDAP and Firewall Policies all in one package.

This solution allows you to meet the compliance requirements listed below.

Table 1 - PCI DSS 1.2 Compliance
PCI DSS Mandate Requirements
Install and maintain a firewall configuration to protect cardholder data 1.1, 1.2, 1.3, 1.4, 1.5
Do not use vendor-supplied defaults for system passwords and other security parameters 2.1, 2.2, 2.3
Encrypt transmission of cardholder data across open, public networks 4.1, 4.2
Develop and maintain secure systems and applications 6.1, 6.2, 6.3, 6.5

Additionally, it is simpler to deploy and administer, and more cost effective than having those in a separate back-end (although it will support external services if needed). WirelessWall supports all wireless gear: all 802.11 protocols, WiMax 802.16e, Mesh and 4G. Using WirelessWall gives you everything for a fraction of the cost and none of the inconvenience of alternatives.

Contact: TLC-Chamonix, LLC
120 Village Square Suite 
11 Orinda , CA 94563, USA
Phone : 877-479-4500
E-Mail:[email protected] 

Recent Entries

Trends - Number of retail medical clinics shrinking
Projections that showed there would be 2,500 retail clinics operating by 2010 are coming up short as the industry has…
Wireless transactions and PCI DSS 1.2 Compliance
Article covering wireless transaction and protocols in context of PCI compliance. Amazing that 11% use WPA2. Gist of article is…
EMV Level 2 - Just what does it mean?
The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant…
CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…
Resource Link - Understanding credit card transaction fees
Merchants accounts, gateways and rates. Having your kiosk process credits cards swiped locally (card present) come with regulatory standard considerations…
Whitepaper - Introduction to CFM or Customer Flow Management
CFM or Customer Flow Management systems are found in more verticals/markets than any other application. Here is a technical document…
Compliance Resource: ETA and Electronic Transaction Compliance
Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and…
Going beyond current PCI security standards
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior…
ADA Requirements - Changes in California
In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became…
Opinion - Why is Redbox Afraid of the iPhone?
Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and…

Related Ring Sites:
  GoKIS  |   ThinClient.org  |   keefner.com  |   Visi Kiosk site  |   KIOSK  |   Kis-kiosk.com  |
Resource Sites:
  Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
  Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |