Do My Security Controls Achieve Wireless PCI DSS? PCI compliance in the new world of threats 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2015 AirTight Networks, Inc. All rights reserved.
Table of Contents The Cost of Non-compliance 3 Impact of Latest Trends on Wi-Fi Security 4 New 802.11ac standard creates security blind spots Internet of Things is fast becoming a reality Mobile POS drives new requirements for Wi-Fi networks 4 5 6 How to Leverage Technology to Lower the Barriers to Wireless Security 7 2015 AirTight Networks, Inc. All rights reserved. 2
The Cost of Non-compliance The cost of non-compliance and gap remediation is something many retailers consider as they conduct their yearly PCI audit. Non-compliance fines can range anywhere from $5,000 200,000 per month depending on the card brand, the nature of non-compliance, and the number of incidents. The Cost of Non-Compliance $5,000 - $200,000 Non-compliance fines per month (Depending on the card brand, the nature of non-compliance, and the number of incidents) If your business accepts payment cards, it needs to be PCI compliant to protect customer data. Wi-Fi is a common attack vector. Rising threat levels and new technologies that make networked devices more mobile and interconnected mean that your wireless networks must conform to PCI standards. Source: Focus on PCI http://www.focusonpci.com/site/index.php/pci-101/pci-noncompliant-consequences.html On top of audit costs and non-compliance fines, the cost of remediating a breach can be high. According to InfoWeek s Dark Reading October 2014 article, It now takes a large organization an average of 31 days, at a cost of $20,000 per day, to clean up and remediate after a cyber-attack, with the total price tag for a data breach now at $640,000. And if those costs aren t formidable, consider the enduring negative impacts from bad publicity and waning customer loyalty on brand equity the retailer has spent a fortune building. If we take a look at the most recent high profile retail data breach, thieves stole 40 million credit and debit cards from Target between Nov. 27 and Dec. 15, 2013. And the impact was devastating. The Cost of Remediation Impact of a cyber-attack 43M PwC detected 43 million security incidents in 2014, a CAGR of 66% since 2009 days Average Remediation Timeframe $20,000 Cost per day $640,000 Total price tag for a data breach 69% 69% of consumers are less likely to shop at an organization that has been breached Source: Dark Reading, October 2014 http://www.darkreading.com/attacks-breaches/cost-of-a-data-breach-jumps-by-23-/d/d-id/131663 Source: Verizon 2015 PCI Compliance Report http://www.verizonenterprise.com/resources/reports/rp_pci-report-2015_en_xg.pdf According to AdWeek, Target s massive data breach racked up 150 billion media impressions between December 2013 and July 2014. Given the media attention and feelings of mistrust, 35% of the retailer s customers changed their shopping behavior post-data breach (Source: BizRate Insights). A recent Forbes article estimated that Target s December 2013 data breach has cost the company $148 million in lost sales. Target eventually slashed its second quarter earnings per share guidance from $0.85-$1.00 to $0.78, citing the data breach as well as debt retirement expenses as primary reasons. 2015 AirTight Networks, Inc. All rights reserved. 3
Target s Data Breach by the Numbers 40 million Number of credit and debit cards stolen from Target between Nov. 27 and Dec. 70 million Number of records stolen that included the name, address, email address and phone number of Target shoppers 46 Percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before 200 million Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards 100 million Dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards Brand impact: Target s massive data breach racked up 150 billion media impressions between December and July (AdWeek) Loyalty impact: 35% of the retailer s customers have changed their shopping behavior post-data breach (BizRate Insights) Financial impact: Target estimated that its December 2013 data breach has cost the company $148 million in losses (Forbes) Impact of Latest Trends on Wi-Fi Security New 802.11ac standard creates security blind spots Compliance officers need to consider the adoption of the 802.11ac Wi-Fi standard and take an informed approach to securing against vulnerabilities in that spectrum. According to IDC s 2015 Wi-Fi shipment data, the 802.11ac standard continues to see adoption at a breakneck pace in the enterprise segment. The 802.11ac standard already accounts for 30% of access point shipments, representing a noticeably faster adoption rate than the 802.11a/b/g to 802.11n transition several years ago. 802.11ac standard is also coming to consumer devices and anyone can buy an 802.11ac access point at a local Best Buy, creating a pool of potential rogue access points. Many merchants may be reluctant to invest in 802.11ac technology for their store networks due to limited capacities of their backhaul. However, the risk of not being able to detect and mitigate 802.11ac threats is real. From the standpoint of wireless intrusion prevention (WIPS), you need 802.11ac sensors to perform your wireless PCI compliance scanning 802.11n radios can only detect a subset of security threats in the 802.11ac spectrum. So if you have an aging 802.11n or earlier infrastructure, this is a strong reason to upgrade to 802.11ac technology. Best of all, this upgrade does not come at a CapEx premium as 802.11ac and 802.11n infrastructure are generally available at comparable pricing. Impact of Latest Trends on Wi-Fi Security New high-performance 802.11ac standard creates security blind spots 30% 802.11ac standard accounts for 30% of access point shipments* 11n radio cannot monitor 11ac frame formats! *Source: IDC Worldwide Quarterly WLAN Tracker, March 2015 http://www.idc.com/getdoc.jsp?containerid=prus25453915 2015 AirTight Networks, Inc. All rights reserved. 4
Internet of Things is fast becoming a reality IDC predicts that 28 billion connected devices will exist by 2020 how will network and security professionals cope? Awareness around IoT continues to grow rapidly, even though full IoT reality is expected to come to fruition over the next several years. Still, with new network infrastructure getting deployed today, having an expected lifespan of five to seven years, it is reasonable to expect it will be able to handle the increased demands of IoT-related apps and traditional network access concurrently, says Nolan Greene, Research Analyst with IDC s Network Infrastructure group. AirTight is helping merchants prepare by scaling up network monitoring capabilities on its 802.11ac platform. It now has the ability to monitor 2000 active wireless devices per AP/sensor, which is critical as industries of all kinds move into realms of wider connectivity. Equally important is the capacity of AirTight s cloud management system to scale to hundreds of thousands of devices being monitored across multiple geographies and customers. This scalability is coupled with AirTight s patented 802.11ac WIPS technology, which allows for fully-automated 24X7 protection, with zero false positive / false negative operation. It requires no IT involvement for mitigation of wireless threats or compliance reporting. Internet of Things Becoming Reality 28B IDC predicts that 28 billion connected devices will exist by 2020 how will network and security professionals cope? IoT requires compliance officers to address both device volume and device diversity: THE INTERNET of THINGS Device Volume Device Diversity System Scalability Operational Scalability 2015 AirTight Networks, Inc. All rights reserved. 5
Mobile POS drives new requirements for Wi-Fi networks Point of sale systems are the lifeblood of any merchant s business. This is a well-established market and upgrade cycles can be long. However, adding mobile POS and prepping for EMV is pushing 47% of restaurants to look at POS upgrades, according to Hospitality Technology s POS Software Trend Report 2015. Restaurant operators are pragmatic, and rightfully expect that their wireless networks play multiple roles to justify the investment. Wi-Fi has to contribute to business efficiency, improve employee productivity, and play a role in customer engagement. The availability of complimentary Wi-Fi access is becoming an increasingly significant factor in consumers choice of restaurants, according to the food industry research and consulting firm Technomic. About 40% of participants in a recent study conducted by the company deemed free Wi-Fi an important or very important consideration in restaurant selection second only to whether an establishment includes such information as menus on its website, reports Hospitality Technology. These multi-function networks must be open enough to welcome guests, but also highly secure to protect your brand from data loss and breaches. Both openness and security are needed to achieve operators vision of digitally enabled restaurants and the two terms do not have to be a contradiction. Compliance officers can leverage WIPS technology to lock trusted devices to authorized networks and prevent them from joining neighboring access points. This keeps sensitive applications and data secure and prevents any wireless honeypot attacks. Mobile Technologies Create New Requirements for Wi-Fi Networks Consumers are becoming more mobile and want to pay and access the internet from anywhere. Businesses must protect these communications. 47% 40% of restaurants are planning POS upgrades to add mobile POS and EMV* of participants in a study conducted by Technomic deemed free Wi-Fi an important or very important consideration in restaurant selection** * Source: Hospitality Technology s POS Software Trend Report 2015 http://hospitalitytechnology.edgl.com/news/pos-software-trend-report-201597065 ** Source: Hospitality Technology, Restaurants Add Free Wi-Fi to the Menu http://hospitalitytechnology.edgl.com/news/restaurants-add-free-wi-fi-to-the-menu99463 2015 AirTight Networks, Inc. All rights reserved. 6
How to Leverage Technology to Lower the Barriers to Wireless Security Compliance officers are rightly concerned about human factors which can often be the soft underbellyof any security policy. To future-proof themselves against both inadvertent security lapses and malicious internal or external actions, merchants should consider behavior-based security, which includes: Strong device behavioral analysis logic, since traditional signatures and threshold based security solutions can t catch up with the evolving monitoring scenarios. Fast response time to threats, to tackle new and optimized attack and policy violation triggers. How should merchants determine whether a wireless PCI solution stands up to the test of security beyond checklist compliance? Is threat scanning 24 7 or is it only occasional spot scanning? PCI does not require 24 7 scanning, but continuous scanning is the best practice. Notably, the entire Target breach occurred over only 3 weeks that is a much briefer period than a quarter. Does the scan merely serve up raw data to compliance officers or does it filter out genuine threats so they can be mitigated? With too many alarms, it s natural to become desensitized, letting the human behavioral factors undermine your security and compliance posture. Is the solution capable of detecting all types of vulnerabilities? Can it identify various types of rogue APs? If it can only identify a few types of rogues (such as rogues with correlation between their wired and wireless MAC addresses so called MAC adjacency), how can you trust that report since there could be unidentified rogue APs connected to the CDE among the large number of APs detected during the scan? Is the solution capable of automatically containing the identified vulnerabilities? Although automatic mitigation is not a PCI requirement, in large nationwide deployments, automatic containment is a requirement for security. Automatic containment reduces the window of vulnerability. Moreover, automatic containment has to occur without false alarms which can disrupt legitimate operations. Is the solution capable of full security operation at the store level without critical dependence on WAN links? The answer to these critical questions will determine if merchants can be fully armed to protect themselves either during a compliance audit or against a legitimate wireless threat. AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com 2015 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight is a registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice. Secure Cloud-Managed Wi-Fi