In the past, retailers may have read the Payment Card Industry's Data Security Standards (PCI DSS) and for certain sections wondered, "What does this mean and what do I have to do?"
PCI is aiming to answer those questions with special guidance documents aimed at clarifying especially confusing parts of the standards. On Thursday, PCI published the first informational document that it hopes will clarify how retailers should be securing their wireless internet environment.
“The guidelines are not there to add any new control objectives to the DSS requirements, it's more intended to help explain what's required,” Doug Manchester director of product security for payment technology vendor VeriFone Holdings, told SCMagazineUS.com on Thursday. Manchester chaired the special interest group responsible for the document.
The document is also intended to remove any confusion or ambiguity as to what is required so that Qualified Security Assessors (QSAs) and retailers have a common understanding, Manchester said. All retailers who are using WiFi internet in their business – even those who do not transmit payment card information over the wireless network -- should read the document, Troy Leach, technical director for the PCI Security Standards Council, told SCMagazineUS.com Thursday.
Retailers who use WiFi in their environment, but do not use it to transmit payment card data, must ensure (and be able to demonstrate) that their wireless network is fully segmented from the sensitive cardholder data, Manchester said.
“We have seen in the past that that's a common weak point of an organization's security system and a primary target,” Manchester said. “Even if its not transmitting cardholder data, you still need to protect it, and make sure that network doesn't bleed into the cardholder data environment.”
Retailers using their WiFi network to transmit payment card data must ensure that the appropriate level of encryption is used. The guidelines recommend retailers enable WPA or WPA2 encryption. Also, retailers must maintain the physical integrity of the devices, have logging capabilities and intrusion prevention features, Manchester said.
Other PCI special interest groups are working to provide clarity about other parts of the DSS that were determined to be challenging for retailers including scoping, virtualization and pre-authorization. These special interest groups are also expected to publish informational documents.
What are your thoughts CLICK HERE to leave us a "QUESTION OF THE DAY” comment.
© Copyright 2014, A Granite Broadcasting Station. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.