The Payment Card Industry (PCI) Data Security Standard was created in 2004 by major credit card companies—American Express,
Discover Financial, JCB, MasterCard Worldwide, and Visa International—to provide security and privacy of customers’ credit
card data and personal information. The PCI standard sets specific guidelines for the storage, processing, and transmittal of
all associated data in order to protect cardholders from identify theft.
The PCI standard has several requirements which directly impact wireless LANs. According to the PCI security assessment
guidelines, the scope of compliance validation includes:
“All external connections into the merchant network (e.g., employee remote access, payment card company, third
party access for processing, and maintenance)...” [emphasis added]
Given that wireless LANs can and do provide external connectivity into the merchant network—in office, store, and warehouse
facilities—WLANs must be secured in all of these environments.
Requirement 1: Install and maintain a firewall configuration to protect data.This requirement focuses on locking down the network and covers the preferred standards for documenting, configuring and
maintaining firewalls, network segments (DMZ vs. internal), available protocols and service ports, traffic flow and NAT/PAT.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.This requirement discusses wireless security and encryption, as well as proper password policies. Section 2.1.1 of the PCI Data
Security Standard, added in September 2006, requires that the retailer change default settings on all wireless access points in
the environment. This is a minimal security best practice that should be followed in all wireless installations.
W H I T E P A P E R | Is your WLAN putting your PCI compliance at risk?
RF Manager provides ongoing monitoring and enforcement for this requirement, ensuring that all wireless access points on the
network are properly encrypted and have the proper SSID. Any access point which violates this policy is disabled.
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder and sensitive information across open, public networks.Both of these requirements are intended to protect cardholder data wherever it is stored or transmitted. In requirement 4
there are specific guidelines for secure cryptography and protocols, specifically when cardholder data is transmitted over an open network.
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.Requirement 9: Restrict physical access to cardholder data.
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Requirement 12: Maintain a policy that addresses information security for employees and contractors.
Conclusion
Just as in wired networks, there is no guarantee that multiple layers of defense will mitigate all threats, since hackers are
always devising new penetration schemes. However, when deploying, configuring, activating and maintaining a solution with it’s best-in-class security functionality, merchants can sleep with confidence knowing that
cardholder information will remain private and secure.
