White Paper: WPA Not Enough for PCI DSS V1.2
On January 1, a new version of the Payment Card Industry Data Security Standard (PCI DSS), version 1.2, took effect. Summit's PCI DSS white paper, which is updated for PCI DSS v1.2, reveals that solid Wi-Fi client device security is essential for PCI DSS compliance. The white paper also reveals that Wi-Fi Protected Access (WPA), long believed to be sufficient for robust Wi-Fi security, poses unnecessary risks to a PCI DSS strategy.
Wi-Fi is popular in retail because it improves the productivity of mobile workers and reduces the costs of configuring and reconfiguring networks in stores and distribution centers. Many retailers have been using wireless local area networks since before Wi-Fi was a standard, and the majority of retailers consider wireless LANs to be critical components of their information infrastructures. Ensuring that Wi-Fi connections are secure is a critical first step toward achieving PCI DSS compliance.
PCI DSS v1.1 allowed for the use of WEP, the outmoded encryption method that can be hacked easily. PCI DSS v1.2 prohibits the use of WEP for new wireless LANs after March 31 and requires that retailers phase out WEP from existing wireless LANs by the middle of next year.
PCI DSS v1.2 classifies both WPA and WPA2 as sufficient replacements for WEP. In late 2008, however, two German researchers reported that a vulnerability in the WPA encryption method of TKIP could enable an attacker to decrypt individual packets that are encrypted with TKIP. The same vulnerability does not exist with the WPA2 encryption method of AES-CCMP. With thieves growing increasingly sophisticated, security-minded retail organizations need to use Wi-Fi client devices that support the highest level of standards-based authentication and encryption, which is the Enterprise version of WPA2.
To learn more, read Summit's PCI DSS white paper.