This week, Renaissance Network Solutions announced a managed WLAN security service to help retailers comply with the Payment Card Industry (PCI) Data Security Standard (DSS). The service, based on technology from Trapeze Networks and AirDefense, is designed for merchants and others that send cardholder data over Wi-Fi during payment transactions.
PCI promise and peril
In January, TJX reported a breach that jeopardized over 45 million credit and debit card numbers. That incident has been attributed in part to a WLAN break-in launched outside a Marshall’s store.
In a related statement, the PCI Security Standards Council said, “Security of customer payment data is not just a payment brand issue but the responsibility of all businesses that participate in the process. All merchants and service providers that store, process and transmit payment card data are required by the payment brands to comply with the PCI Data Security Standard – their customers expect it and their reputations depend on it.”
That standard, PCI DSS Version 1.1, outlines a dozen requirements for security management, policies, procedures, network architecture, software design and other measures to protect cardholder data when stored, processed, or sent over any type of network – including wireless LANs.
However, the PCI Security Standards Council does not enforce compliance. Individual payment brands like AMEX and Discover operate their own security programs. Each brand decides what merchants must do to comply, along with penalties and incentives.
For example, Mastercard and Visa require Tier 1 merchants (those who process over 6 million payments per year) to complete an annual on-site security review and a quarterly network scan by an approved vendor. Tier 3 merchants (those between 20,000 and 1 million transactions per year) need only complete an annual PCI DSS Self Assessment Questionnaire and quarterly scan. Merchants that fail to comply by the deadline may be hit with a $50,000 fine and eventually lose their ability to accept card payments.
Renaissance to the rescue
This week’s announcement by Renaissance, a Georgia-based network solutions provider, is pitched at Tier 2 and 3 merchants – those who operate perhaps a dozen retail stores with WLANs, but cannot afford near-term capital investment in PCI compliance.
Operating in partnership with Trapeze Networks, Renaissance plans to install a Trapeze MP-372 AP in each store, operating as an AirDefense wireless intrusion prevention sensor. All sensors will all report to a central Trapeze MX-800 Controller at the provider’s NOC. Behind the Controller, Renaissance has deployed an AirDefense Enterprise Server, tapping into that product’s integration with Trapeze Ring Master.
Renaissance will use this platform to remotely monitor and respond to any attempted intrusions into the customer’s existing WLAN. “If a rogue PC is trying to intrude on a store’s network, our sensor would detect that and report back to AirDefense,” said Paul Miller, VP of Business Development at Renaissance.
AirDefense prevention policies would then kick in, using the on-site sensor to block the rogue. To avoid blocking legitimate retail Wi-Fi devices, Renaissance plans to start out in discovery mode and work with customers to inventory valid addresses.
“Wireless LANS are a critical exposure points for many organizations,” commented Diana Kelley, Vice President and Director for the Security and Risk Management Strategies service at Burton Group. “The PCI DSS specifies use of intrusion detection and prevention devices on networks (which can include wired and wireless) to look for suspected compromises. For companies that do not feel confident monitoring their own WLANs, use of a managed service is a viable alternative.”
Charting a path to PCI compliance
But WIPS is just one facet of PCI DSS Compliance. “Customers get really turned off by marketing claims that over-promise,” said Kelley. “When a vendor explains specifically how their solution helps protects credit card information and which portions of the PCI DSS the solution applies to, that’s a lot stronger and more accurate than “PCI Compliance here, step right up and get your PCI Compliance!”
PCI DSS covers a fairly broad range of system and network security policies, measures, and practices. Only a handful of DSS requirements contain text specific to wireless. The most detailed, 4.1.1, requires that WPA, WPA2, IPSEC VPN, or SSL/TLS be used to encrypt wireless cardholder data transmissions:
“Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
- Use with a minimum 104-bit encryption key and 24 bit-initialization value
- Use ONLY in conjunction with WPA, WPA2, VPN, or SSL/TLS
- Rotate shared WEP keys quarterly (or automatically) [and] whenever there are changes in personnel with access to keys
- Restrict access based on media access code (MAC) address.”
- Use ONLY in conjunction with WPA, WPA2, VPN, or SSL/TLS
Miller believes that a managed WLAN security service is needed to fill a gap between this requirement and reality. “The whole idea behind this service is that Tier 2/3 retailers can’t afford a sensor for each one of their stores, much less a controller. We’re trying to give them this service for under $100 per month per store.”
Furthermore, many retailers have many legacy devices, such as point of sale terminals and printers, which only support WEP. “Anytime you have a PCI auditor in there, they’ll say you’ve got to get off WEP. But retailers just don’t have the budget for that,” said Miller. “If a merchant uses WEP in conjunction with VPN, they are minimally compliant. Adding this service is a further step to avoid relying on WEP.”
In particular, Miller cited the AirDefense WEP cloaking feature used to confuse key crackers. Cloaking was itself the target of a DEFCON hacking this summer, but the goal is to raise the bar and buy more time to upgrade both Wi-Fi APs and clients to WPA2.
“About 50 percent of retailers haven’t even responded [to payment brands] with their Report on Compliance (ROC),” said Miller. “This way, the retailer can fill out their ROC, explaining how they use WEP in conjunction with WIPS cloaking. We put them on the path to full PCI compliance by helping them secure the store today and giving them a migration path to WPA2 using Trapeze.”