Eliminate Wireless Loopholes for Solid PCI Compliance

By Cameron Pumphrey, Director of IT, Magic Brands | July 07, 2009

The state of data theft is out of control. According to Privacy Rights Clearinghouse, a non-profit consumer advocacy organization, in 2009 there have been 141 major data breaches in the U.S., culminating in millions of stolen personal records. Since tracking began in 2005, the total approximation of stolen data records is an astonishing 262 million. As one would expect, many of these organizations are in the hospitality and food service industry. For example, the Wyndham Hotels and Resorts fell victim to a hacker that stole more than 21,000 records in February 2009. In March 2008, a major supermarket chain had all 165 of its stores hacked; the criminals got away with more than 4.2 million credit card numbers. This list goes on and on.

How are criminals getting this information? Some are stealing computers and memory sticks, but the growing trend is to find loopholes in network security and access the local area network through a wireless access point. For example, a hacker can download sensitive information while sitting in a company's parking lot, if the network is not protected or monitored properly. It's that easy. Whether organizations have a WiFi network or not, it is critical to put the appropriate security layer in place to protect against potential breaches.

At Fuddruckers, it is against company policy to have wireless networks at its restaurant locations. However, it has been found that managers and employees were often hooking up wireless routers to get wireless access for personal use at chain locations. This created a huge window of opportunity for would-be hackers to access sensitive corporate information and steal data. Management realized they needed to deploy a wireless LAN (WLAN) intrusion detection system (IDS) that would allow them to see when wireless devices were attached to the wired network. Without it, customer data could have been at risk and Fuddruckers could have been in violation of PCI compliance.

PCI Standards in brief
While a variety of personal information is valuable to hackers, in the underworld of criminal data trading one of the hottest commodities is credit card information. When customers offer their payment card at a point-of-sale, over the Internet, on the telephone, or through the U.S. mail, they want assurance that their account information is safe. To ensure that safety, the PCI (Payment Card Industry) Security Standards Council created the PCI Data Security Standard (DSS).

Developed by the founding payment brands — including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International — PCI DSS helps facilitate the broad adoption of consistent data security measures on a global basis. Failure to comply with the standard may result in the forfeiture of a merchant's ability to process payment cards for merchandise and could leave the organization liable for damages under federal and state laws.

Here are the 12 basic requirements an organization must satisfy for PCI DSS compliance:

1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to customer data on a need-to-know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

A multi-layered defense
It is necessary for operators to actively protect their network with multiple layers of defenses including intrusion detection systems, automated treat responses, and configurable alerts. The Wireless LAN Intrusion Detection Systems (IDS) helped Fuddruckers address six of the 12 requirements. Here's a quick summary that explains how WLAN IDS helped Fuddruckers, and more generally, what operators should look for when selecting a product to protect wireless network security:

Requirement 1: Install and maintain a firewall configuration.
Select a product that maintains a secure wireless network to protect cardholder data by ensuring only authorized wireless devices access the WLAN. It can also assure that all devices adhere to a documented security policy that meets industry and legal standards.

Requirement 2: Do not use vendor-supplied defaults.
The product should identify when vendor-supplied defaults are effective on wireless devices and that should also alert administrators to mitigate the security hazard. In addition, the selected solution should be able to verify whether encryption is used on wireless devices and whether the entity's wireless implementation has security vulnerabilities.

Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
The solutions should determine if the transmission of cardholder data over a wireless network is encrypted and alert administrators if it is not. Also, it can identify vulnerabilities in the encryption implementation and alert administrators to mitigate the identified problems.

Requirement 10: Track and monitor all access to network resources and cardholder data.
Features that track and monitor all access to the wireless network and record such information in audit logs stored in a secure, centrally managed database should also be considered in a solution.

Requirement 11: Regularly test security systems and processes.
Requirement 11 can be satisfied with mutually exclusive technologies: (1) a wireless IDS/IPS that identifies all wireless devices in use; or (2) a quarterly scan using a wireless analyzer.

Some products include an intrusion detection system that regularly tests security systems and processes on wireless devices and networks, and determines if security vulnerabilities exist. When vulnerabilities are identified, it sends configurable alerts to administrations.

Requirement 12: Maintain a policy that addresses information security.
Some solutions deliver compliance reports to help document and maintain a security policy that informs organizations whether their wireless network and devices conform to the PCI DSS standard, as well as other industry standards and legal requirements. Also, alerts for security incidents on wireless networks and devices can be automatically reported to the individual or group of individuals responsible for security investigation and vulnerability mitigation.

PCI DSS offers a single approach for merchants who use payment cards for merchandise to safeguard sensitive data for all payment card brands. It helps instill customer confidence and prevent embarrassing data loss.

Cameron Pumphrey is the director of IT at Magic Brands, the parent company of restaurant franchises Fuddruckers and Koo Koo Roo.

Additional writing provided by Chris Roeckl. Roeckl is the VP of marketing at AirMagnet, a provider of security, performance, and compliance solutions for wireless LANs.
 
RELATED ARTICLES

comments powered by Disqus

ht events

2015 Multi-Unit Restaurant Technology Conference
2015 Hotel Technology Forum