PCI council sets out wireless security guidelines

PCI council sets out wireless security guidelines

The Payment Card Industry Security Standards Council (PCI SSC) has published guidelines for retailers on securing wireless networks.

The council set up a special interest group to look into wireless network security for card transactions after the technology was implicated in several data breaches, including the TJX case.

The group of over 40 organisations - including POS vendors, network security companies, acquiring banks and large merchants - is aimed at firms that store, process or transmit cardholder data that may or may not have deployed 802.11 wireless LAN technology as well as assessors that evaluate PCI DSS compliance.

The group has identified nine applicable requirements for PCI DSS compliance in relation to wireless networks. These include making sure passwords are not on default, ensuring strong authentication and setting specific wireless usage policies.

Companies should also ensure they don't allow the copying, moving, or storing of cardholder data onto local hard drives when accessing it via wireless access technologies. The paper also says firms must separate wireless networks that process or store card data from those that do not.

Doug Manchester, chairman, wireless special interest group, says: "This firstever guide will help all in the payment chain, but particularly merchants, better understand the methods necessary to secure their wireless networks, or totally remove the networks from the scope of the DSS and the payment process."

The PCI SCC has set up another three special interest groups, covering scoping, virtualisation and pre-authorisation, which will publish their findings soon.

You can read the wireless guidelines here.

Comments: (0)