Wi-Fi Security

Details: A Wi-Fi connection to the internet can be less secure than wired connections because a cybercriminal does not require physical access to gain entry into the network. In order to secure a wireless network and to meet PCI compliance standards, there are two encryption protocols currently used by IT professionals. Wi-Fi Security Protocols Wireless Protected Access — known familiarly as WPA — and WPA2 were developed to improve the security of Wi-Fi connections by requiring the use of wireless encryption. WPA2 requires stronger encryption than WPA, but IT professionals say it also may slow down the network's performance. Both protocols provide Wi-Fi users with a high level of security and can help minimize the risk of a breach. Securing a Wireless Network to Achieve PCI Compliance Industry regulations for PCI compliance require merchants to protect cardholder data and any payment card information, whether it is printed, processed, transmitted or stored. It requires organizations to extend the same level of security from the wired network to the wireless network and provides specific guidelines as to how to protect point-of-sale data over the wireless network. Additionally, merchants should have secure Wi-Fi as it is defined and required by PCI regulations, including but not limited to the following:

  • The merchant should ensure that only trusted individuals have access to the payment application and its associated environment

  • The mobile device should be stored in a secure location when it is not in use. The merchant should consider locking the mobile device to the merchant's physical location when possible

  • The merchant should place mobile devices in a location that offers the greatest level of security (less customer and employee access), observation, and monitoring when possible

  • Where data passes through a network under the merchant's control (e.g., Wi-Fi or Bluetooth®), ensure that the network is implemented as a secure network

Wi-Fi Network Security The PCI Security Standards Council states the following key points:

  • Even if an organization that must comply with PCI DSS does not use wireless networking as part of the cardholder data environment (CDE), the organization must verify that its wireless networks have been segmented away from the CDE and that wireless networking has not been introduced into the CDE over time

  • Although the PCI DSS outlines requirements for securing existing wireless technologies, there are validation requirements that extend beyond the known wireless devices and require monitoring of unknown and potentially dangerous rogue devices

  • A rogue wireless device is an unauthorized wireless device that can allow access to the CDE; wireless networks can be considered outside of PCI scope if no wireless is deployed or if wireless has been deployed and segmented away from the CDE

  • Regardless of whether wireless networks have been deployed, periodic monitoring is needed to keep unauthorized or rogue wireless devices from compromising the security of the CDE

  • Segmenting wireless networks out of PCI scope requires a firewall between the wireless network and the CDE

Increase Security with Strong Passwords The best passwords are designed to be difficult to discover through intelligent guessing. Security experts recommend the following password guidelines to help maximize Wi-Fi security:

  • Use a minimum password length of 12 to 14 characters, or as many as the software allows

  • Include lowercase and uppercase alphabetic characters, plus numbers and symbols if allowed

  • Generate passwords randomly if possible

  • Avoid using the same password twice in multiple user accounts or software systems

  • Avoid character repetition, keyboard patterns or letter/number sequences

  • Don't use relatives' or pets' names, ancestors' names, birthdays, anniversaries or ID numbers