Last Topic "Services and Protocols"

PCI-Compliant Wireless Settings (PA-DSS 6.1.f and 6.2.b)

Restaurant Manager does offer wireless technologies with the Write-On products. The following guidelines for secure wireless settings must be followed per PCI DSS 1.2.3, 2.1.1 and 4.1.1:

However, in sites not using Write-On technology, a merchant may implement wireless access within the cardholder data environment. If such is the case, the following guidelines for secure wireless settings must be followed per PCI Data Security Standard 1.2.3, 2.1.1 ,4.1.1 and 11.1:

PCI DSS- 1.2.3: Perimeter firewalls must be installed between any wireless networks and systems that store cardholder data, and these firewalls must deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

PCI DSS 2.1.1:Change wireless vendor defaults per the following 5 points:

• Encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions.

• Default SNMP community strings on wireless devices must be changed

• Default passwords/passphrases on access points must be changed

• Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks (for example, WPA/WPA2)

• Other security-related wireless vendor defaults, if applicable

Refer to manufactures specific instructions and guides to achieve compliance

PCI DSS 4.1.1: Industry best practices (for example, IEEE 802.11.i) must be used to implement strong encryption for authentication and transmission of cardholder data.

Note: The use of WEP as a security control was prohibited as of June 30, 2010.

Industry best practices are used to implement strong encryption for the following over the wireless network in the cardholder data environment (4.1.1):

• Transmission of cardholder data

• Transmission of authentication data

PCI DSS 11.1: Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

• 11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

• 11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

  • WLAN cards inserted into system components

  • Portable wireless devices connected to system components (for example, by USB, etc.)

  • Wireless devices attached to a network port or network device

• 11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

• 11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to personnel.

• 11.1.e Verify the organization’s incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.

RM Handheld Guidelines

The RM Handheld devices run over a wireless network. Strict standards must be adhered to remain PCI compliance. The following sections outline the guidelines to run RM Handheld in a cardholder safe environment.

Recommended Hardware

Required Specifications

• 802.11n

• WPA2 encryption (as opposed to just WPA)

• Gigabit port with gigabit networking to the server

Recommended Hardware

Basic Models

• Motorola WAP AP 6511(access point, to connect to existing router)

Pro Model for Larger Sites

• Ruckus Access Point: ZoneFlex 7363

• Optional Access Point Controller: ZoneDirector ZD1100

Wi-Fi Configuration Guidance (PCI DSS Requirements 2.1.1 & 4.1)

PCI requirements for wireless networks are extensive. All the following services and settings are required. Note that some of the requirements are hardware dependent. It is possible that new or different hardware will be required in order to satisfy PCI requirements.

WPA Guidelines

The wireless infrastructure must use WPA2 encryption. WEP encryption is no longer allowed. Firmware on wireless devices must be updated to support strong encryption for authentication and transmission over wireless networks. Therefore, WPA2-capable wireless infrastructure (access point) is a requirement. On the recommended Motorola product, you will find the encryption options under Configuration page > Wireless > MyWireless. Settings on other wireless APs or routers will vary. On some models you want to select the “WPA/WPA2-TKIP” option, on other models you will have to select WPA2 as Network Authentication and the select TKIP as Data Encryption type.

WPA-Capable Handheld Hardware

All handheld hardware must be WPA-enabled if any mobile MSRs are in use in the installation. Since the ASI custom driver for the Socket wireless card does not support WPA, no consumer handhelds with the Socket card can be used in an installation that is also using MSR-capable handhelds such as the iPod Touch with MSR attachment. If you add an iPod Touch with MSR to an existing installation, the entire site must be converted to WPA-capable handhelds in order to satisfy PCI compliance requirements.

1. Non-Default SSID – The SSID of the wireless network must be changed from the default setting from the manufacturer. On most wireless AP products, the SSID setting is on the Wireless Settings page for the wireless network. Change it to something that’s unique for each installation

2. Disable SSID Broadcast- The broadcast of the SSID in the beacon must be disabled. On Motorola products, uncheck "Broadcast SSID" found in under the Configuration page > Wireless > Wireless LAN.

3. MAC Address Filtering – MAC address filtering must be used on the wireless network to disallow all clients except those specifically listed as trusted handheld client hardware.

Firewall Guidance (PCI DSS 1.3.9)

Firewall services must be installed to limit and protect access to the server machine from any wireless network that would otherwise have free access to the store’s wired network.

HARDWARE

Hardware must include Stateful Packet Inspection (SPI).

LOCATION

The firewall shall be placed between the wireless network and the physical network to which the server machine is connected. The goal is to prevent any unnecessary network traffic on the wireless network from gaining access to the wired network. Only necessary packets are allowed, using only necessary ports.

SETTINGS- PORT/SERVICE RESTRICTION

The RM Handheld and RM Handheld Server process communicates through IP. The protocols it uses are HTTP (TCP port 9644). Therefore, only 9644 shall be allowed through the firewall. All others shall be disallowed.

Handheld Configuration

ACCESS TO HANDHELD SERVER FROM INTERNET (PCI DSS Requirement 2.4)

The RM Handheld Server application shall not be accessible from the Internet. Access shall be limited only to the local network (subnet).

NO ACCESS ALLOWED (PORT 80 CLOSED, AND NO ALTERNATE PORT USED) –Port 80 on the server shall not be accessible from the Internet. Furthermore, no open port from the Internet shall map to the Write-On Server’s port 80

Next Topic "PCI Guidance for Internet Accessible Systems"

Proprietary and Confidential Information