PCI Compliance - Eliminate WEP by June 30 2010

The Payment Card Industry Data Security Standard(PCI DSS) requires companies to eliminate all use of Wired Equivalent Privacy (WEP) on their networks. WEP is an outdated standard and its problem is that it uses insecure cryptography. This allows hackers using AirCrack to penetrate WEP networks in a matter of seconds. The release of PCI DSS 1.2 in late 2008 from the PCI Security Standards Council set forth three new requirements for organizations using wireless networks:

1) Use strong encryption and authentication for all wireless networks.
2) Do not deploy any new WEP networks.
3) Decommission any existing WEP networks by June 30, 2010.

If you have not started you better get moving! You will need to deploy the more secure Wi-Fi Protected Access (WPA) encryption standard.

The WPA standard has been available for more than five or six years. If you have older WEP equipment that does not support WPA - then it will soon be near its life's end. So you must consider replacing it to deploy WPA.

To upgrade your network you will need to upgrade all wireless access points used on your companies campus. You will also need to upgrade your wireless adapters in client systems. If you have Wi-Fi-reliant client devices these will work in the new environment. You can also provide USB wireless adapters for laptop users as required.

One situation I ran into recently, when on a PCI consulting job, was the use of both WEP-encrypted and unencrypted networks running within the buildings. Employees brought their own wireless routers and plugged them into the corporate network. Of course they were caught but this is an issue that needs to be addressed. These are referred to as "Rogue" wireless networks and can be an issue with PCI DSS requirement.

The PCI DSS requirement 11.1 states:
"Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use".

So don't let this one slip by your IT teams! Add it to the procedures and policies of your company so it is not overlooked! Good Luck!