This is part three of our blog series dedicated to wireless PCI compliance; in this installment we focus on deployment best practices and common misconceptions. Read part 1: New PCI 3.1 Guidelines Address SSL Vulnerability and part 2: 3 Trends Impacting Wireless PCI Compliance
Following our webinar on wireless PCI compliance, I sat down with Kevin McCauley, director of retail business development at AirTight, and Sean Blanton, systems engineering manager at AirTight, to follow up on the questions we got during the webinar.
We began by discussing how businesses can open up their Wi-Fi networks for guest engagement, while maintaining security and PCI compliance.
How can you balance the seemingly contradictory demands of having an ‘open’ network that welcomes visitors, but is also secure?
Kevin McCauley: A different way to look at this question is to ask – how can operators leverage the existing investment they have already made in network connectivity while maintaining PCI compliance and providing guest engagement? The biggest Wi-Fi question for me during my IT career at Yum! Brands was, “Why is guest Wi-Fi not free for me?”
I am a big believer in looking for ways to double- and triple-dip in my infrastructure investments. Guest Wi-Fi is just one of the uses you can put your wireless network to – the others being connectivity for staff productivity, wireless PCI compliance scanning and rogue detection. But keep in mind that while guest Wi-Fi and employee Wi-Fi are great to have, wireless intrusion prevention (WIPS) technology is a must-have when it comes to full PCI DSS compliance.
What are some misconceptions that IT managers and compliance officers still have when it comes to PCI compliance and Wi-Fi?
Sean Blanton: The biggest misconception out there is that creating a Wi-Fi network – either private or public – that runs off the same circuit as your CDE (cardholder data environment | via PCI Security Standards) will compromise PCI compliance. In other words, the concerns is that having both Wi-Fi and CDE traffic on the same network is a security and compliance detriment.
Quite the opposite – as long as you have proper controls in place to segment the various virtual networks, you can indeed be PCI compliant. The option we recommend is segmenting your traffic using VLAN technology and implementing proper firewall rules to make sure that your CDE network cannot talk to your non-CDE network.
The first question I ask anyone who has these concerns is whether they have managed, or smart, switches | via Wikipedia that have VLAN capabilities. VLAN is the optimal way to segment traffic and ensure security.
Is VLAN the only option?
SB: If your organization has not implemented managed switches, then definitely plan on it during your next upgrade cycle! Barring that, the NAT’ed network | via Wikipedia plus proper firewall rules at the AP level will allow you to segment your traffic. The firewall will prevent any ‘untrusted’ (guest) clients from accessing your trusted network.
What are some key attributes of Wi-Fi solutions hospitality operators should be looking for?
KM: Address PCI compliance and security first. No point in opening your network for customer engagement if you cannot protect your brand from breaches or data loss. Consider your customers’ experience as well – enable content filtering on your wireless system for family-friendly web browsing.
SB: To add to what Kevin said, I see some misconceptions with regards to Wi-Fi ‘abuse.’ I often have to address concerns that visitors will start streaming videos or downloading massive files from the web. IT managers worry that Wi-Fi that is drawing customers in will start having a negative impact on the business. In my experience, this has not been the case. The vast majority of users do not aim to abuse your network – it’s a great convenience, and that’s it.
There are also ways to prevent Wi-Fi ‘abuse’ in the AirTight system, such as setting time limits roughly equivalent to your typical dwell times and/or creating time-out periods, which would prevent a guest from reconnecting to the network for a specified window of time.
[Tweet "PCI Compliance and Wi-Fi: Friends or Foes? #PCI #WiFi Series: Part 3 of 3 via @AirTight "]
How should IT leaders work with the line of business managers to drive Wi-Fi projects forward?
KM: Don’t be afraid to experiment – run a pilot and see what kind of analytics you can gather from your airspace. Also keep in mind that Wi-Fi projects often start with a single use case in mind, but other departments – store operations, marketing and HR – soon want to jump on board.
We are seeing broad deployment of tablet-based applications, such as computer-based training, line busting or mobile POS. AirTight customers leverage our WIPS technology to lock those trusted devices to authorized Wi-Fi networks and prevent them from joining neighboring networks in the airspace.
So, can PCI compliance and Wi-Fi be friends?
KM: Without a doubt!
This post concludes our three-part blog series dedicated to wireless PCI compliance. Read part 1: New PCI 3.1 Guidelines Address SSL Vulnerability and part 2: 3 Trends Impacting Wireless PCI Compliance.
- Register to download the free ebook: A Guide for Wireless Customer Engagement and Security [PDF]
- Why Should my Wi-Fi be PCI Compliant – infogrpahic via SlideShare
- Do My Security Controls Achieve Wireless PCI DSS? PCI Compliance in the New World of Threats – whitepaper [PDF]
- PCI 3.1 and the Impact on Wi-Fi Security – whitepaper [PDF]
- Blog posts by Sean Blanton