PCI wireless guidelines translate to dollars for VARs

In July, the PCI Security Standards Council released its "PCI DSS Wireless Guidelines" (.pdf), which provide details on how organizations that use or seek to implement 802.11 Wi-Fi networks can ensure they are compliant with the Payment Card Industry Data Security Standard (PCI DSS).

Establishments with improperly secured or unsecured wireless connections have long been a favorite target of digital thieves looking to gain access to merchant data. Attacks against merchants are bad, not only for businesses, but also for the people whose credit card numbers get pilfered.

The wireless guidelines offer installation suggestions on how to limit the PCI DSS wireless scope as well as practical methods for deployment of secure wireless networks in payment environments. The guidelines also detail some best practices enterprises should put in place to integrate security into an existing Wi-Fi network and subsequently pass a PCI DSS audit.

The hardest aspect of PCI DSS compliance for customers is often maintaining compliance, as it requires constant vigilance. For this reason, the PCI DSS wireless guidelines present a significant and recurring revenue opportunity for solution providers.

Offering a comprehensive wireless security assessment is a good way to get a foot in the door. This type of assessment can include:

• Use of wireless sniffing equipment to identify and categorize all 802.11 traffic emanating from a given site.
  
• A survey of the radio emissions from wireless equipment, which allows a map to be generated that indicates the locations of the access points and the ranges and locations that attacks can be initiated.
  
• Assessment of the wireless network topology.
  
• Verification of network settings; determine whether encryption services have been correctly implemented and that default security settings have been changed.
  
• Enumeration of wireless IP devices and networks.
  
• A deliverable for the client documenting the current state of wireless network security and recommendations for improvement.
  
• A review (and update, if necessary) of wireless security policies.
  
• A wireless penetration test.

Such an assessment ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI DSS compliance Web application security best practices: Tips on implementation Application security expertise a plus when offering WAF services PCI compliance guide: A resource for solution providers PCI DSS pre-assessment services: Prelude to a QSA The impact of PCI compliance on the channel The importance of PCI compliance PCI compliance services FAQ Channel Checklist: Top five PCI compliance mistakes and how to avoid them PCI compliance: Web application firewall vs. code review How will the planned changes in PCI-DSS affect the channel? Security Management Loss leaders: Security products and services to get a foot in the door Offering cloud computing security services to customers Maintaining your customers' security amid layoffs How to turn the HIPAA compliance changes into opportunities HIPAA privacy regulations get some teeth: Be prepared How to establish decommissioning policies and procedures Top security tips for solutions providers Penetration testing 101: How to offer pen test services Securing configuration management on customer networks Five myths of PCI compliance

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

provides customers with a complete review of their wireless network architecture, and in turn better prepares them for PCI DSS compliance audits. Many companies simply don't know if their employees or vendors have installed wireless components attached to their internal networks. These assessments often uncover such rogue wireless devices.

By identifying the risks associated with a wireless network infrastructure, a solution provider can find and mitigate the vulnerabilities that would otherwise enable attackers to access the customer's privileged merchant networks and resources.

Some of the many other service opportunities around wireless PCI DSS compliance include:

• Gap analysis: Determine where the gaps in wireless compliance are. An example of this type of service would be seeing that the company's policy is not to broadcast the SSID, but finding that it is indeed set to broadcast.
  
• Design review: Evaluate the client's wireless networks to determine whether it is compliant with PCI DSS, and document a recommended migration strategy for non-compliant wireless networks to meet PCI DSS requirements.
  
• Wireless scan: A scan for rogue wireless devices, which is a part of the assessment detailed above, should be a no-brainer. Software tools such as those offered by AirDefense Inc. or AirMagnet Inc. can make the process easier. These tools provide a wireless intrusion prevention system (WIPS). They are used to monitor the airwaves and help handle wireless issues, including rogue detection, performance monitoring, wireless troubleshooting and more.
  
• Secure wireless access point (WAP) configuration: Ensure the WAP is configured to provide the best possible security; misconfigurations often provide opportunities for attackers to break into the secure internal network.

Remember that the PCI DSS Wireless Guidelines note that an entity must comply with the requirements even if it doesn't use wireless as part of its cardholder data environment. Any customer that must comply with PCI DSS must also comply with the wireless guidelines, and that's something the channel can help customers understand.