Editor's Note: HomeATM CEO, Ken Mages, a noted security expert, has worked on and put forth his recommendations regarding "web security guidelines" for payment cards. Call it "wPCI."
Considering today's announcement that PCI is publishing "wireless" security guidelines, I don't see any reason why the council wouldn't be 100% behind putting together a Web Special Interest Group (SIG) and begin this much needed process as well. In fact, I would humbly suggest that there is a huge void until they publish web security guidelines. Would it take a year and a half? Well, let's just say they could derive a huge head start by giving Ken a call...
Any business accepting credit and debit cards -- and using or considering wireless LANs -- should carefully review the recommendations for use of 802.11 wireless access points that are detailed in the guidelines issued Wednesday by the Payment Card Industry Security Standards Council.
In the past, the council has issued standards that have become required by Visa, MasterCard, banks and others for secure processing of payment and debit cards. Troy Leach, the council's technical director, emphasized that the recommendations in the "PCI Data Security Standard (DSS) Wireless Guideline" are not mandatory for businesses handling payment cards and using WLANs. But he adds, "This is probably the way wireless should have been deployed all along."
And though not officially mandatory, the PCI guideline for WLAN deployments, which expands on the existing 12-part standard PCI DSS that is required, do point merchants in the direction the council thinks is optimum for protecting cardholder data.The guideline was crafted by the council's Wireless Special Interest Group (SIG), chaired by Doug Manchester, director of product security at VeriFone Holdings, in a process that took more than half a year with 50 SIG participants.
Manchester, who notes the guideline is specifically for WLANs and doesn't include technologies such as BlueTooth (more wireless-technology guidelines can be expected in the future), says the goal was to clear up questions and establish a "common vocabulary."
Continue Reading
