Understanding the PCI DSS Wireless Requirements A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2012 AirTight Networks, Inc. All rights reserved.
Executive Summary The Payment Card Industry Security Standards Council (PCI SSC) has published a PCI DSS Wireless Guideline which acknowledges that wireless is a clear and present danger to network security and those who collect, store or transmit card holder data must take steps to assure that it is secure, whether or not wireless is deployed in the cardholder data environment. Though the PCI DSS already included wireless security requirements, this is the first time that the requirements for wireless security have been described unambiguously for all cardholder data environments (CDE). Organizations which handle payment card data must take steps to secure the CDE against wireless threats including unmanaged and unknown wireless devices in the environment and must scan all locations. This white paper helps those organizations understand how the PCI DSS 1.2 and 2.0 wireless requirements apply to them, how to meet those requirements in a cost effective way, and how to secure your network and cardholder data from wireless threats. 2012 AirTight Networks, Inc. All rights reserved. 2
Introduction Large data breaches have highlighted the growing popularity of wireless among cybercriminals to gain sensitive data from both wired and wireless networks. The TJX incident the largest known wireless security breach in the U.S. history is a prime example. Hackers used unsecured wireless as an entry point to access TJX networks worldwide. Over 90 million credit- and debit-card records and personal information such as social security numbers, driver s license numbers, and military identification of more than 451,000 customers were stolen. A total of nine retail chains including Office Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW were victims of this heist. Forrester Research estimated the cost incurred to cover financial losses and lawsuit settlements to be one billion dollars. Notably the wireless networks that were hacked during this incident were not necessarily being used for processing cardholder data, but were connected to wired networks that were part of the cardholder data environment (CDE). This highlighted the need to comprehensively secure the CDE against all types of wireless threats including those initiated outside it and those initiated from Rogue wireless access points and clients installed unofficially inside the CDE. The Payment Card Industry Security Standards Council (PCI SSC) responded promptly by releasing version 1.2 of the PCI Data Security Standard (PCI DSS) in October 2008. The PCI SSC s Wireless Special Interest Group (SIG) followed it with a PCI DSS Wireless Guideline document in July 2009 that clarified the wireless security requirements for PCI compliance, provided guidance on implementing secure wireless LANs and outlined methods for protecting against threats from wireless devices outside the CDE and Rogue wireless devices. The PCI SSC continued to highlight the wireless requirements in version 2.0 released in 2010. Understanding the Cardholder Data Environment Fundamental to achieving PCI compliance is to understand what comprises a CDE. The PCI SSC Wireless SIG defines the CDE as the computer environment wherein cardholder data is transferred, processed, or stored, and any networks or devices directly connected to that environment. From a wireless security viewpoint, any wireless device that is deployed officially or unofficially becomes part of the CDE as long as it provides access to cardholder data in transit, or in process, or in storage. Any such device is evidently under the 2012 AirTight Networks, Inc. All rights reserved. 3
purview of PCI DSS. Officially deployed wireless access points (APs) and clients can violate PCI DSS requirements if they are misconfigured or provide CDE access to unauthorized users. Unofficially deployed Rogue wireless APs and clients can also compromise the security of the entire network and provide CDE access to unauthorized users. Depending on how wireless usage influences a CDE, the PCI DSS 1.2 wireless security requirements can be broadly grouped into two categories: Those that address threats from unknown wireless networks and apply generally to all organizations wanting to comply with PCI DSS; and Those that apply to organizations who have deployed an official wireless network inside the CDE. [Generally applicable wireless requirements] apply to organizations regardless of their use of wireless technology and regardless of whether the wireless technology is a part of the CDE or not. As a result, they are generally applicable to organizations that wish to comply with PCI DSS. - PCI Security Standards Council Wireless SIG PCI DSS 1.2 and 2.0 Wireless Security Requirements for All Organizations Irrespective of whether or not they have deployed a wireless network, organizations cannot afford to discount the presence of unknown or unmanaged wireless devices on their premises. Today all consumer computing devices (e.g., laptops, smartphones, PDAs) have Wi-Fi built in. WiFi APs are inexpensive and available off-the-shelf for anyone to autonomously deploy their own wireless network at work. The significant risk that these unmanaged wireless devices pose to the CDE has prompted the PCI Security Council to highlight the following PCI DSS requirements as applicable to all organizations wanting to comply with PCI DSS. Regardless of 2012 AirTight Networks, Inc. All rights reserved. 4
whether an organization runs or bans wireless, it needs to ensure that the CDE is not plagued with such Rogue wireless devices. These are minimum wireless scanning requirements. Conduct Wireless Scans At Least Quarterly at All Locations Although [use of a wireless analyzer for scanning] is technically possible for a small number of locations, it is often operationally tedious, error-prone, and costly for organizations that have several CDE locations. For large organizations, it is recommended that wireless scanning be automated with a wireless IDS/ IPS system. - PCI Wireless Security Standards Council Wireless SIG PCI DSS Requirement 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices. Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned. Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you: 24x7 monitoring of wireless devices Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG) Instant detection of Rogue wireless APs Automatic blocking of Rogue APs and other wireless threats or hack attacks Location tracking capability to physically hunt down Rogue and other threat posing wireless devices Monitor Wireless Intrusion Alerts PCI DSS Requirement 11.4 Use intrusion-detection systems, and/or intrusionprevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date. Unless a wireless network is segmented from the CDE (requirement 1.2.3) using a firewall, the network should be monitored for wireless intrusion attempts. A WIPS should be configured to send automatic threat alerts and instantly notify concerned personnel about potential risks and attacks. 2012 AirTight Networks, Inc. All rights reserved. 5
Eliminate Wireless Threats PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-themiddle attack, denial-of-service attack, and ad-hoc networks. PCI DSS 1.2 and 2.0 Wireless Security Requirements for Known WLAN inside CDE Organizations that run a wireless network as a part of the CDE need to comply with the following PCI DSS requirements to run a secure wireless network, over and above the requirements (11.1 Conduct wireless scans at least quarterly at all locations, 11.4 Use a WIPS to monitor wireless intrusion alerts, and 12.9 Use a WIPS to eliminate wireless threats) discussed in the previous section. These are secure wireless deployment requirements. Change Default Settings PCI DSS Requirement 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings. Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization. Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If 2012 AirTight Networks, Inc. All rights reserved. 6
you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors. Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details. Use Strong Encryption and Authentication PCI DSS Requirement 4.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Use Wi-Fi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters. Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEPencrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control. (N.B. In spite of this, recent AirTight studies have still found WEP extant in many retail environments.) Restrict Physical Access PCI DSS Requirement 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices. Physical access to authorized wireless devices should be restricted to minimize tampering of these devices and exposure of cardholder data. Physical access to wireless APs can be restricted by mounting them high up on the ceilings or walls, and by installing them inside tamper-proof enclosures. 2012 AirTight Networks, Inc. All rights reserved. 7
Access to laptops and handheld devices should be restricted by using strong passwords. Sensitive information on these devices should be encrypted to prevent unauthorized access even if the device gets stolen. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices. Maintain Logs of Wireless Activity PCI DSS Requirement 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. Archive logs of wireless activity over one year on a central server where the logs cannot be tampered. Review wireless access logs daily to check for any anomalous activity. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary. Develop and Enforce Wireless Usage Policies PCI DSS Requirement 12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access. How AirTight Networks Can Help You Meet PCI Compliance The PCI requirement for conducting wireless scans at all sites can become very demanding. Walking around with wireless analyzers is too tedious and costly for organizations with large number of sites. Many small- and medium-sized businesses do not have the IT resources that they can dedicate for wireless scanning. Additionally, for organizations that do not have a known WLAN AP in the CDE and are subject only to the minimum scanning requirements, a full Wireless 2012 AirTight Networks, Inc. All rights reserved. 8
IPS (WIPS) capability may not be required. Built on its leading WIPS technology, AirTight Networks offers AirTight Cloud Services, a hosted wireless security solution for PCI compliance which also includes the option of adding secure Wi-Fi should you want it. This solution automates wireless scanning and requires no IT intervention, thus making PCI wireless scanning and compliance a low cost and no effort affair. Depending on the needs of the organization, AirTight Cloud Services can be upgraded seamlessly to provide full wireless IPS capabilities and Wi-Fi access with a phone call and the click of a mouse. AirTight Cloud Services are hands off solutions. The customer installs pre-configured wireless sensors (plug-and-play), responds to a few wireless setup questions and, within 72 hours, begins to receive wireless vulnerability alerts by email. Users can choose to receive PCI Wireless Compliance report by email monthly or quarterly. Customer data is hosted in a secure SAS70 certified datacenter designed for security and high availability. AirTight s cloud-based PCI and wireless security solution is offered as three service modules to choose from and at pricing level unmatched in the industry. Services Basic Compliance Modules Wireless IDS Wireless IPS Automated wireless scanning Compliance report delivered by email monthly or quarterly Real-time email alerts for Rogue AP detection and wireless intrusion Archiving of alerts for one year Access to wireless IDS console - 24x7 full wireless monitoring - Troubleshooting and customizable unlimited reporting - 24x7 full wireless intrusion prevention and automatic incident response - - RF heat maps - - Location tracking to physically locate and remove Rogue APs - - 2012 AirTight Networks, Inc. All rights reserved. 9
About AirTight Networks AirTight Networks is a global provider of secure Wi-Fi solutions that combine its patented and industry-leading wireless intrusion prevention system (WIPS) technology with the next generation cloud-managed, controller-less Wi-Fi architecture. This unified approach allows enterprises for the first time to benefit from Wi-Fi access while concurrently protecting their networks 24/7 from wireless threats at no additional cost. AirTight s customers include global enterprises across virtually all industries and range from those who overlay AirTight WIPS on top of other WLAN solutions, to those who leverage the AirTight Cloud Services to manage AirTight Wi-Fi, WIPS, and regulatory compliance (e.g., PCI) across tens of thousands of locations from a single console. AirTight owns 29 granted U.S. and international patents on WIPS and cloud-managed wireless security, with more than 20 additional patents pending. For more information, please visit: www.airtightnetworks.com. AirTight is a registered trade mark of AirTight Networks, Inc. AirTight Networks, AirTight Networks logo, AirTight Cloud Services and AirTight Secure Wi-Fi are trademarks. All other trademarks are the property of their respective owners. Using AirTight Cloud Services customers: Incur no capital expenditures Pay only for the wireless security features required Grow as needed Have an affordable and predictable total cost of ownership Do not need to be concerned with hardware or software obsolescence Can seamlessly upgrade to get full wireless IPS capabilities For large enterprises with hundreds or even thousands of sites across the globe, PCI compliance wireless scanning using the AirTight Cloud Services automated, hosted solution is dramatically less expensive in both manpower and cost than walk-around scanning using any wireless analyzer. h Conclusions The PCI Security Standards Council has made it clear that wireless security is a concern that all merchants, regardless of whether or not wireless is deployed, must address. Scanning all sites for wireless vulnerabilities and threats such as Rogue APs and eliminating them from the cardholder data environment (CDE) is mandatory. A wireless IPS (WIPS) can automate wireless scanning, alerts monitoring, compliance reporting and threat prevention. AirTight Networks Cloud Services delivers PCI wireless scanning and wireless intrusion prevention as a hosted, on demand model. It makes wireless scanning for PCI compliance easy and cost-effective. Organizations can choose the features they need depending on their size and use of wireless, and save significantly as compared to on-site WIPS installations or manual scanning using a wireless analyzer. The Global Leader in Secure Wi-Fi Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com 2012 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.