PCI Free Blog

Data Security Controls Required for Wireless Networks

In case you missed it earlier this year, make sure you’re familiar with the following important information.

If you are considering or have implemented wireless technology to enhance the efficiency of your business, you must create and maintain an overarching security solution to protect your system from being compromised by an unauthorized party.  The PCI DSS contains protocols that anticipate and insulate your wireless network once PCI compliance is achieved.  Use of wireless technology is on the rise due to its convenience and efficiency.  Because of particular weaknesses inherent within wireless technologies, careful planning and security measures are essential before launching a wireless processing system. 

All wireless network are viewed as “untrusted” and the card associations strongly urge security controls be used on any wireless network without regard to the network’s purpose.  If a business uses a wireless network for transmitting cardholder information (wireless processing) or is connected to a wireless LAN (local area network) without firewall separation, you must employ wireless security protocols and protections. 

If your company is storing cardholder information it adds a new dynamic to the security controls you have to put in place.  Making sure your network is PCI compliant will automatically inure your network from many current methods of cyber theft as the PCI DSS is designed to foresee weak points and access points in your system and address them.  Not only that, but continuously updating your PCI compliance throughout the year (as required for any system that uses a public network like radio waves and the internet) will ensure the integrity of your wireless network as new threats arise, are identified, and solved.  As the PCI DSS adapts to as yet unknown methods of cyber crime, so will your wireless network as you maintain and keep your system PCI compliant. 

Storing other cardholder information such as magnetic stripe data, PIN (personal identification number) data, or v-code data is not permitted for your wireless network to be PCI compliant.  The PCI DSS does not permit storage of this information for any reason, though it does allow for storage of credit card numbers and expiration dates along with other pertinent cardholder data such as name, address and phone number as long as you have a business or legal need to keep card numbers and as long as you use strong encryption and protection of the media containing the sensitive data.

Refer to the PCI DSS requirement 4 for information on encryption of cardholder data across open, public networks (like the internet).  Refer to PCI DSS requirement 5 for information on the use and regular update of virus protection software.  Refer to PCI DSS requirement 6 for information on developing and maintaining secure systems and software applications.  Refer to PCI DSS requirement 8 for information on unique ID access to computers, and PCI DSS requirement 10 for information on tracking and monitoring all access to network resources and cardholder data. 

Following the security controls outlined in the PCI DSS requirements for wireless networks and maintaining your PCI compliance will eliminate much of the worry, not to mention the liabilities of processing in a high tech, high risk processing environment.

This entry was posted in PCI Compliance, Sensitive Data Storage, Wireless Technology Security. Bookmark the permalink.

Leave a Reply