PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies, as a guideline to help organizations that process card payments, prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments as well as being audited and/or fined.

Merchants and payment card service providers must validate their compliance periodically.  This validation gets conducted by auditors who are the PCI DSS Qualified Security Assessors (QSAs). Smaller companies, processing fewer than about 80,000 transactions a year, are allowed to perform a self-assessment questionnaire.

The current version of the standard (1.1) specifies 12 requirements for compliance, organized into 6 logically related groups, which are called “control objectives”.

Compliance and Wireless LANs

The PCI DSS recognizes wireless LANs as public networks and automatically assumes they are exposed to vulnerabilities and threats. PCI DSS also provides two specific security guidelines to prevent breaches coming in from wireless devices used in any environments containing credit card data.

They are:

ü  Firewall segmentation between wireless networks and the point of sale networks or any network that comes in contact with credit card information.

ü  Use of wireless analyzer (a.k.a. Wireless Intrusion Detection System) to detect any unauthorized wireless devices and attacks.