Recent Posts

Posts by Topic

see all

New PCI 3.1 Guidelines Address SSL Vulnerability

by AirTightTeam on Apr 23, 2015

On April 15, the PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) Version 3.1 and supporting guidance. The revision addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.

Available now on the PCI SSC website, PCI 3.1 is effective immediately.


>>> PCI DSS 3.0 will be retired on 30 June 2015. <<<

PCI SSC explains:

, April 2015 via PCI Data Security Council document library.
“The National Institute of Standards and Technology (NIST) identified SSL (a cryptographic protocol designed to provide secure communications over a computer network) as not being acceptable for the protection of data due to inherent weaknesses within the protocol. Upgrading to a current, secure version of Transport Layer Security (TLS), the successor protocol to SSL, is the only known way to remediate these vulnerabilities, which have been exploited by browser attacks such as POODLE and BEAST.” Source: PCI Council Publishes Revision to PCI Data Security Standard — PCI DSS 3.1 and supporting guidance helps organizations address vulnerabilities within SSL protocol that put payment data at risk; PA-DSS revision to follow — PCI Security Council, April 2015.

PCI 3.1 and supporting resources are available on the PCI SSC website. This blog explains what this change represents to you and your business.


New PCI 3.1 White Papers Released

Just in time for the PCI SSC’s news, AirTight released two new white papers:

1) “Do My Security Controls Achieve Wireless PCI DSS? PCI Compliance in the New World of Threats”, and

2) “PCI DSS 3.1 and the Impact on Wi-Fi Security”


1) Do My Security Controls Achieve Wireless PCI DSS? PCI Compliance in the New World of Threats

This white paper covers wireless trends that may impact PCI compliance, such as Internet of Things, 802.11ac transition and mobile POS adoption.

The paper highlights why 802.11ac adoption may create security blind spots. According to IDC’s 2015 Wi-Fi shipment data:

“the 802.11ac standard continues to see adoption at a breakneck pace in the enterprise segment. The 802.11ac standard already accounts for 30% of access point shipments, representing a noticeably faster adoption rate than the 802.11a/b/g to 802.11n transition several years ago.”

: “PCI Compliance In The World Of New Threats: Do My Security Controls Achieve Wireless PCI DSS?” - April 2015.

802.11ac standard is also coming to consumer devices and anyone can buy an 802.11ac access point at a local Best Buy, creating a pool of potential rogue access points.

Many merchants may be reluctant to invest in 802.11ac technology for their Wi-Fi networks due to limited capacities of their backhaul. However, the risk of not being able to detect and mitigate 802.11ac threats is real.

From the standpoint of wireless intrusion prevention, you need 802.11ac sensors to perform your wireless PCI compliance scanning – 802.11n radios can only detect a subset of security threats in the 802.11ac spectrum.

So if you have an aging 802.11n or earlier infrastructure, this is a strong reason to upgrade to 802.11ac technology.

Download the whitepaper for additional trends and to learn how to leverage technology to lower the barriers to wireless PCI compliance.

Do my security controls achieve the spirit of wireless PCI DSS?

Register for the webinar: May 5th 8am PDT [on-demand]

2) PCI 3.1 and the Impact on Wi-Fi Security

The paper discusses PCI DSS 3.1 requirements from the wireless perspective and provides best practices for compliance, security and IT managers.

Let’s have a look at some of the best practices highlighted in the paper:

  • Limit the scope of your PCI audit through network segmentation
    The “golden rule” is to limit the scope of your PCI audit to the card holder environment (CDE). This ensures that any network or device that does not interact with card holder data is firewalled from the systems that transmit, store or process cardholder data. Doing this will really limit the effort required to demonstrate PCI compliance.
  • Use strong wireless encryption and authentication
    This holds true for any wireless that touches the CDE, especially mobile POS which would include WPA2 encryption and strong authentication and encryption on the wireless network. Make sure that the client devices are hardened and secure so they can’t be stolen and sensitive data cannot be taken off those devices.

: "PCI DSS 3.1 and the Impact on WiFi Security". April 2015
  • Implement an incident response plan
    Document the plan you will go through when an incident is found. Having your process documented and ready to go will help you minimize ad hoc reactions to specific incidents.
  • Establish and maintain a strong relationship with your auditor
    Maintain the same audit company and team year over year if possible, as this reduces time and effort to familiarize the auditor with your environment which will ultimately reduce the audit expense and ease the process for your internal staff. Organizations can then focus on remediating gaps and assessing new systems and environment that changes from year to year rather than bringing a new auditor up to speed on their environment.

Download the whitepaper for a comprehensive overview of wireless PCI compliance and security, including additional best practices.


The world of wireless PCI compliance is changing. Are you ready?


Additional Information:


This post is part 1 of the 3-part series on wireless PCI compliance. Read part 2: 3 Trends Impacting Wireless PCI Compliance and part 3: PCI Compliance and Wi-Fi: Friends or Foes?


Do my security controls achieve the spirit of wireless PCI DSS?

Register for the webinar: May 5th 8am PDT [on-demand]


Topics: Wireless security, WiFi, Compliance, Best practices, Security and WIPS, PCI, Managed Service, 802.11ac, WiFi Access, Retail