Retailers must check for PCI standards compliance

Complying with governance mandates

Industry analysis by expert Joanie Wexler, plus links to the day's wireless news headlines

Just as with your wired network, you must make sure that your wireless network segment complies with the various industry corporate governance mandates that weigh heavily on many executives’ minds these days. The likes of Sarbanes-Oxley, HIPAA, and other industry-specific mandates all specify some security elements that apply to wireless and wired networking alike.

In the retail industry, for example, the Payment Card Industry Data Security Standard (PCI DSS) Version 1.1 was released last September, and any business conducting credit card transactions was supposed to be compliant with it as of this month. There are nine components of PCI DSS 1.1 that relate to wireless LANs. The most prominent ones are protection of over-the-air cardholder data using WPA or WPA2 (recommended) encryption and preventing unauthorized devices from accessing the wireless transaction networks.

Wireless intrusion detection and prevention systems from AirDefense, AirMagnet, AirTight Networks, Aruba Wireless and Network Chemistry are among those that can determine if an unauthorized wireless device is connected to your wired network, which is one measure of PCI compliance.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Just as with your wired network, you must make sure that your wireless network segment complies with the various industry corporate governance mandates that weigh heavily on many executives’ minds these days. The likes of Sarbanes-Oxley, HIPAA, and other industry-specific mandates all specify some security elements that apply to wireless and wired networking alike.

In the retail industry, for example, the Payment Card Industry Data Security Standard (PCI DSS) Version 1.1 was released last September, and any business conducting credit card transactions was supposed to be compliant with it as of this month. There are nine components of PCI DSS 1.1 that relate to wireless LANs. The most prominent ones are protection of over-the-air cardholder data using WPA or WPA2 (recommended) encryption and preventing unauthorized devices from accessing the wireless transaction networks.

Wireless intrusion detection and prevention systems from AirDefense, AirMagnet, AirTight Networks, Aruba Wireless and Network Chemistry are among those that can determine if an unauthorized wireless device is connected to your wired network, which is one measure of PCI compliance.

Meanwhile, Aruba said last week that it has updated its WLAN system software to comply with PCI DSS 1.1, claiming to be the first WLAN vendor to do so. Detection of 802.11n devices (which many enterprises consider rogue at this point, because they are as yet consumer-class and not sanctioned by most enterprises) was added to the Aruba wireless intrusion detection and prevention (WIDP) system as part of the compliance. 802.11n detection is also offered by third-party WIDP makers such as AirTight and AirMagnet.

Mannav Khurana, retail industry lead at Aruba, says the company also supports network address translation (NAT)-capable access points, which hides exposure to internal IP addresses and satisfies a portion of PCI compliance.

The new version of the Aruba operating system will be available on the company’s WLAN system next month.

Read more about wireless & mobile in Network World's Wireless & Mobile section.

Joanie Wexler is an independent networking technology writer/editor in Silicon Valley.