Friendly Reminder to those who are PCI compliant.. WEP must die in next 12 days.

PCI DSS 1.2 requires that existing installations of 802.11 wireless using WEP must migrate to something more secure before June 30th, 2010.

If your business is PCI compliant, you hopefully are already fully aware that June 30th, 2010 is the deadline to be migrated off of WEP in any area of your network that is involved in credit card handling based on PCI definition and your own logical networking design.

While I'd generally hope that most people had moved off of WEP years ago, you still see it in some POS systems from time to time. Depending on how your network is designed and how you've setup your PCI boundaries, your entire network may have to migrate away from WEP.

I know in some areas businesses had to replace their client hardware to even support anything beyond WEP, which was probably costly in larger client installations. I suspect when people were buying that equipment in the late 90s/early 2000s and the vendors were saying how long the life span would be, they forgot that running DOS and 802.11b only would likely cut that 20 year lifespan down a bit.  I guess the same reason when vendors tout a 30 year MTBF on their equipment that will be legacy within 2 years, I'm not quite as concerned about the difference between one vendor having 25 years and another having 30.. Sure, longer MTBF should result in less frequent failures as a whole, but it's still a negligible number with most respectable vendors.

If you've migrated off of WEP, hopefully you've taken the plunge straight to WPA2-CCMP, so you don't have to be concerned with WPA1-TKIP countermeasure type issues, and the per packet overhead is lower with CCMP than TKIP, at the expense of a little extra computational needs of CCMP. Not to mention the security aspect of CCMP over TKIP.

You can read the full PCI DSS 1.2 specification here.

• Cisco

• PCI 802.11 Wireless