ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
(See Jordan’s Part 1 of this post here.) PCI-DSS strolled into town with the latest compliance package of minutiae laden IT speak at the end of last year. Business owners are now saddled with mapping, understanding and creating policies and procedures for handling “credit card data flow.” For the majority of these firms, dedicated IT staff and IT security knowledge are non-existent. So, how – you should be asking by now – are PCI compliance and public Wi-Fi insecurity related to each other? In most cases of small to medium business where IT is non-existent or is a one person operation AND you find public wireless offerings, we can bet it’s all connected together. Let’s bottom line this thing: if your IT budget is in the low thousands to zero range, you should not be providing public Wi-Fi.
Reason number one: your company swipes credit cards, some firm out there processes your payments and expects you to be PCI compliant. The moment a wireless network is deployed at a business, a big red flag goes up. Sure, it is possible with extensive RADIUS configuration, certificate deployment and a couple hours of testing to do it right, but guess what? If you have no idea what I just said, your Wi-Fi probably isn’t secure. Let’s revisit IT budgets again; who connected this shiny new wireless device to the network? Did they connect it to the corporate network? Do “credit card data flows” traverse the same network? If no one has any clue and the network map doesn’t reflect this new install, hardware upgrades or additions, and you forgot the change management policies and procedures documentation, guess what? You are not PCI compliant.
Let’s clarify another critical item for getting PCI compliance right: scope. Reason number two you should avoid wireless altogether: you are responsible, as a credit card merchant, for any and all loss traced back to theft on your network. If an organization is lacking the basic tenets of network management – like a network map, responsible network use policies, change management and web filtering – your organization will be forced to ingest an auditor hired by the credit card company whose customers lost money. I assure you in nearly every one of these cases, the small to medium business is found liable.
Here is one more reason your organization probably should not be offering public Wi-Fi: responsibility. If a business provides the medium over which malfeasance occurs, the business is responsible. Back to budgets: if your budget does not include web filtering, whitelisting, data loss prevention and active management, you should not be providing public wireless. Whether or not you understand these things, they are part of the basics of IT and network security. Now, when your public Wi-Fi network is used by someone whose actions result in harm or injury and you did not implement content (porn, dark sites, worse) restrictions, you are responsible.
In the event something bad did happen on your network and you turned in a cyber insurance claim, you should expect an auditor. Your cyber insurance provider is going to send someone out to review your policies and procedures and interview your staff. If you do not have policies to cover the handling of credit cards and your staff is not trained on them, you are liable. If your credit card network is running on the same network as your corporate data, you are probably liable. This auditor will probably ask to see your credit card data map. Oh yeah, are you asking your customers to “dip the chip” or swipe their card? If they aren’t using chip and pin as of this writing, you are liable.
To minimize the systems in scope you should order your credit card scanners to be installed on “old school” telephone lines. Those telephone line based credit card machines should support chip and pin. Your employees should be regularly reminded of their role in IT systems and security. Review sample policies and procedures for handling sensitive data from the SANS Institute and create some for your own organization! Vet your IT vendors; ask people from your social circles who they trust in your area. When installing or deploying new solutions, ask what your network looks like after your vendor is done – get a new network map. Last, get rid of your public Wi-Fi, it could well cost your business way more than a “Your-Guest” Wi-Fi network is worth.
SANS Policies: https://www.sans.org/security-resources/policies