PCI DSS -- The Retail POS Mandate for WirelessWall

Introduction

TLC-Chamonix, LLC today unveiled its WirelesWall POS Architecture for XPe wireless Point of Sale Terminals. It achieves PCI DSS compliance by combining AES encryption, firewall and end-to-end security in a standards compliant software solution. It allows replacement of WEP without having to disturb existing networks or POS terminals (including Fujitsu TeamPoS terminals).

WirelessWall is a unique, encrypting firewall that leaves the network infrastructure fully intact while providing a transparent instant upgrade to WPA2-Enterprise level security, allowing business applications and operations to continue undisturbed. It gives peace of mind from better security, compliance, and loss prevention, while avoiding the cost of new equipment, new leases and downtime.

Industry Initiative

Faced with the prospect of billions of dollars in losses and lawsuit settlements, the retail industry is finally taking serious measures at self-regulation to protect merchants and consumers from wireless security breaches. Consider:

• 2009 TJX, the parent company of TJ Maxx, Marshalls and other retailers, paid a $9.8M settlement to 41 states after a $40.9M settlement to Visa for wireless POS breaches. It absorbed over $135 million loss from its 2007 incidents alone.

• 2008 breaches identified by the Identity Theft Resource Center-breaches totaled 449 with over 22 million records exposed. (That’s more than all breaches in 2007 and the individual record count is climbing and will exceed 2207 as well)

• 2007 breaches totaled 448 paper and electronic breaches with 127 million records exposed.

• 2006 breaches totaled 315 affecting nearly 20 million individuals.

• 2005 breaches totaled 158 affecting more than 64.8 million people.

The Payment Card Industry (PCI) is a consortium of worldwide credit card companies (Visa, Mastercard, American Express, Discover and JCB International). To confront and mitigate these mounting losses, and faced with imminent regulation by state and federal agencies plus penalties for violating existing privacy laws, they formed a Security Standards Counsel which implemented a Data Security Standard (PCI DSS) to preemptively control the problem.

PCI DSS – A New World Order

The latest edition of the standard mandates improved wireless security practices and drops the broken Wired Equivalency Protocol (WEP) as an approved method, in favor of protocols using strong encryption such as AES. See: PCI DSS 1.2

PCI DSS is not merely a set of recommendations -- non-compliance is not an option. It is a contractual obligation which demands all retail merchants big and small to comply as a condition of being allowed to continue processing credit cards and consumer information via electronic Point of Sale (POS) terminals or other wireless method.

According to mandate, retailers may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010.

Impact Assessment

Naturally, this has enormous significance to operations and the bottom line of retailers. Perhaps just as great is the cost to POS terminal vendors, who have a large inventory of WEP-only wireless terminals that are often leased to merchants. They stand to lose considerable sums replacing or retrofitting equipment at costs which cannot easily be passed on to merchants, especially in a bad recession.

In these difficult times, vendors and merchants alike need a lower cost, easy to deploy solution that scales from small business to large enterprises with least impact.

WEP Dominates

The mandate bans the use of WEP, but it still dominates and others like WPA2 are poorly adopted. An Airtight 2009 Financial Districts Survey of 3,632 access points in major cities found half were Open or used WEP security. It concluded:

• Everybody who knows security knows WEP is broken, but it still dominates.
• Some used WPA, which had a crack demonstrated in Tokyo in 2008.
• Others hide SSIDs which doesn't protect traffic captured by wireless sniffers.
• 39% were “enterprise” APs (corporate HQs, offices, etc.)
• Only 11% used WPA2

Even worse than this news is that of the tiny few organizations using WPA2, almost all have implemented pre-shared keys (WPA2-PSK) which has well known dictionary cracks, like CoWPAtty that can crack it in seconds – in many ways, making it worse than WEP.

Why Fix Something that Isn’t Broken?

The abysmal failure of WPA2 to gain widespread adoption has not prompted the industry to question why (almost) no one is using it. Serious debate and changes in the telecommunications industry to adopt better technology and new standards will be needed before WEP is entirely eliminated.

WEP is still pervasive in large part because wireless equipment manufacturers and industry groups failed to take decisive action to totally replace it and continue to manufacture equipment that supports it. WPA2 is still a security configuration option (and alphabetically WEP is first in most lists). Many users are simply unaware of the difference.

There is also the reluctance to switch from existing protocols until there is an incident that demands it. This translates to the maxim: Why fix something that isn’t broken? Unfortunately, this common sense rule can be very costly when applied to security. WEP is broken, but most users don’t know it. The feeling is that if WEP weren’t “good enough”, why would the protocol still be supported by network equipment?

Consumer awareness is one aspect. Even among the technically knowledgeable, there is little appreciation of the distinction between WPA, WPA2-PSK and the only truly strong protocols: WPA2-Enterprise. All others suffer risk of Man-In-The-Middle attacks, brute-force guessing, or key exchange compromises. The dictionary vulnerability risk of WPA2-PSK can be more vulnerable than WEP.

WPA2-Enterprise is the best solution, but many businesses just don’t have back-end RADIUS authentication and LDAP identity management servers or IT with the level of knowledge required to use them, so they accept the risk

The WirelessWall Architecture

The award winning WirelessWall is a government certified (FIPS 140-2) wireless security suite used by the military and DOE. Renown for its investment protection value, WirelessWall adds WPA2-Enterprise grade protection to the current network as a software-only solution instead of replacing legacy wireless hardware and firmware. The DoD 8100-2 directive is mandate for federal and state governments to provide standards based end-to-end strong security. WirelessWall satisfies this directive and was assessed by the Joint Interoperability Testing Center (JITC) for use by Coalition Forces. This high level of protection is now being used to benefit the private sector and retail to eliminate hacking or sniffing end-to-end.

Even if terminals and WiFi gear only support WEP or no security at all, it adds a layer of strong encryption without any reconfiguration. Because it bundles WiFi AES encryption with RADIUS, LDAP and Firewall Policies all in one package, it is simpler to deploy and administer, and more cost effective than having those in a separate back-end (although it will support external services if needed). WirelessWall supports all wireless gear: all 802.11 protocols, WiMax 802.16e, Mesh and 4G. Using WirelessWall gives you everything for a fraction of the cost and none of the inconvenience of alternatives.

Contact: TLC-Chamonix, LLC

120 Village Square Suite
11 Orinda , CA 94563, USA
Phone : +1-877-479-4500
E-Mail:info@tlc-chamonix.com
http://wirelesswall.com/

Why (not) 11i?

A few years ago, the 802.11i draft standard was touted as the solution to secure wireless and make up for the weaknesses of WEP or some of the proprietary protocols like LEAP. Indeed, the 802.11i standard did present a solution called Robust Secure Network (RSN) in addition to weaker levels to accommodate industry transition and "good enough" security for personal/home use.

Fast forward to today. Enterprise mobility and a remote workforce is common. It's an understatement to say the security perimeter is longer. With the coming WiMax revolution, the perimeter can be measured in miles. The 802.11i draft became the 802.11-2007 standard. The need for RSN as the only security level is greater than ever.

Even though the RSN calls for WPA2-Enterprise, most deployments use WPA2-Personal that allows for pre-shared keys (PSK). The resulting encryption can be strong, but the key is vulnerable to dictionary attacks (like CoWPAtty) so it could be guessed. It also doesn't provide end-to-end protection to the datacenter. The "keys are in the ignition" with the 802.11-2007 standard because it does not allow the topography where the Access Point is not the holder of the key material. The CAPWAP standard proposed this "Split MAC" model that made it possible to handle encryption at the datacenter, but this is still a long way from ratification.

In summary, if we ask why not 11i or why not WPA2, the answers are:

• WPA2 is usually deployed as the weaker WPA2-PSK.
  
• WPA2 in all forms leaves the "keys in the ignition" for Access Point vulnerability.
• WPA2 does not provide end-to-end encryption -- the back-door is open.
  
• WPA2 does not avoid the "weakest link" syndrome of non-uniform security across the enterprise.
• Many client machines still don't support WPA2, which can result in allowing pockets of weakness, or costly replacement of user devices if they aren't commodity PCs.
• WPA2-Enterprise is (very) difficult to implement across Mesh networks.
• Cost of upgrading the wireless infrastructure to WPA2 can be high.
  

The use of WirelessWall solves every one of the above problems to make a certified strong, uniform blanket of security and keeps costs down by protecting the investment in existing wireless assets.