payment card industry compliance Mobile

payment card industry compliance phone

ecommerce payment card industry compliance


While I have typically seen merchants and service providers opt to segment their wireless network from the cardholder data environment to keep it out of PCI compliance scope entirely, sometimes, this is not feasible. Here is a quick checklist of what is needed when implementing a wireless network as part of your cardholder data environment (CDE):

 

PCI Requirement 1.1.2

Current network diagram with all connections to cardholder data, including any wireless networks

  • Pretty self-explanatory; But don’t forget to keep your network diagrams current and review them on an annual basis

 

PCI Requirement 1.2.3

Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

  • This is an interesting requirement; a perimeter firewall is required between a wireless network and systems that STORE cardholder data. If you do not store cardholder data (i.e. you have implemented data tokenization) or you only transmit or process cardholder data, then this requirement would not apply.

 

PCI Requirement 2.1.1

For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.

  • Change default encryption keys and make sure they are changed anytime anyone with knowledge of the keys leaves the company or changes positions – this latter part is typically forgotten
  • Change default SNMP community strings on wireless devices
  • Change default passwords/passphrases on access points
  • Update firmware on wireless devices to support strong encryption for authentication and transmission over wireless networks
  • Change other security-related wireless vendor defaults, if applicable

 

PCI Requirement 4.1.1

Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.

  • The use of WEP as a security control was prohibited as of 30 June 2010.

 

PCI Requirement 9.1.3

Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.

  • For merchants, don’t forget this also applies to wireless access points deployed at your store/restaurant locations

 

PCI Requirement 10.5.4

Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media.

Wireless access points are considered “external-facing”, so the logs from your wireless devices need to be sent to a protected internal system (i.e. your centralized log management platform).

 

PCI Requirement 11.1

Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

  • This becomes even more critical to implement if wireless has been implemented within your cardholder data environment.
  • For merchants – Don’t forget…wireless scanning is a requirement not just at your data center but also at your store locations as well. Not the easiest task, but it is still required.

 

Shelina Samji, PCI QSA
Senior Consultant, PCI Compliance Services

 

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)

 

RESOURCES & NEWS

Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.

The Dangers of Legacy Protocols

Exploiting API Endpoints

Abusing Default Credentials

Weaponizing Legacy Software

 

PCI Targeted Risk Analysis & DoCRA

https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/

 

HIPAA & Penetration Testing & Incident Response Plans

https://www.halock.com/are-you-ready-for-the-enhanced-hipaa-requirements-for-penetration-testing-and-more/

 

Top Threats in Healthcare

https://www.halock.com/top-cyber-threats-in-healthcare/

 

Cloud Security Risk Management

https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/

 

Penetration Testing Reports to Manage and Prioritize Risk

https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/