Point-of-Sale Terminal Software offers wireless functionality.
Share:
Press Release Summary:
Helping retailers achieve PCI DSS compliance, WirelessWall POS Architecture combines AES encryption, firewall, AAA, and end-to-end security in standards compliant software solution. With WirelessWall, WEP and Open wireless POS terminals and access points can have WPA2-Enterprise level security without changing terminals, firmware, or network gear.
Original Press Release:
How to Keep Your WEP POS Terminals and Still be PCI DSS 1.2 Compliant
July 7, 2009 - TLC-Chamonix, LLC (TLC) unveils its WirelessWall POS Architecture for wireless Point of Sale Terminals. It helps retailers achieve PCI DSS compliance by combining AES encryption, firewall, AAA and end-to-end security in a standards compliant software solution. Now, WEP or even Open wireless POS terminals and Access Points can have WPA2-Enterprise level security without changing any terminals, firmware or replacing network gear. WirelessWall saves time, saves money, and helps makes you achieve PCI DSS 1.2 network compliance.
The award winning WirelessWall secures wireless and wired infrastructures to provide a transparent instant upgrade to standards compliant, certified (FIPS 140-2) strong security with access controls, allowing business applications and operations to continue undisturbed. It offers peace of mind with better protection, auditability, compliance, and loss prevention, while avoiding the cost of new equipment, new leases and downtime.
Industry Initiative
Faced with the prospect of billions of dollars in losses and lawsuit settlements, the retail industry is finally taking serious measures at self-regulation to protect merchants and consumers from wireless security breaches. Consider:
o 2009 TJX, the parent company of TJ Maxx, Marshalls and other retailers, paid a
$9.8M settlement to 41 states after a $40.9M settlement to Visa for wireless POS breaches. It absorbed over $135 million loss from its 2007 incidents alone.
o 2008 breaches identified by the Identity Theft Resource Center-breaches totaled
449 with over 22 million records exposed. (That's more than all breaches in 2007 and the individual record count is climbing and will exceed 2007 as well)
o 2007 breaches totaled 448 paper and electronic breaches with 127 million records
exposed.
o 2006 breaches totaled 315 affecting nearly 20 million individuals.
o 2005 breaches totaled 158 affecting more than 64.8 million people.
The Payment Card Industry (PCI) is a consortium of worldwide credit card companies (Visa, MasterCard, American Express, Discover and JCB International). To confront and mitigate these mounting losses, and faced with imminent regulation by state and federal agencies plus penalties for violating existing privacy laws, they formed a Security Standards Counsel which implemented a Data Security Standard (PCI DSS) to preemptively control the problem.
PCI DSS - A New World Order
The new edition of the standard mandates improved wireless security practices and drops the broken Wired Equivalency Protocol (WEP) as an approved method, in favor of protocols using strong encryption such as AES. See: PCI DSS 1.2
PCI DSS is not merely a set of recommendations -- non-compliance is not an option. It is a contractual obligation which demands all retail merchants big and small to comply as a condition of being allowed to continue processing credit cards and consumer information via electronic Point of Sale (POS) terminals or other wireless methods.
According to mandate, retailers may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010.
Impact Assessment
Naturally, this has enormous significance to operations and the bottom line of retailers. Perhaps just as great is the cost to POS terminal vendors, who have a large inventory of WEP-only wireless terminals that are often leased to merchants. They stand to lose considerable sums replacing or retrofitting equipment at costs which cannot easily be passed on to merchants, especially in a bad recession.
In these difficult times, vendors and merchants alike need a lower cost, easy to deploy solution that scales from small business to large enterprises with least impact.
WEP Dominates
The mandate bans the use of WEP, but it still dominates and others like WPA2 are poorly adopted. An Airtight 2009 Financial Districts Survey of 3,632 access points in major cities found half were Open or used WEP security. It concluded:
Even worse than this news is that of the tiny few organizations using WPA2, almost all have implemented pre-shared keys (WPA2-PSK) which has well known dictionary cracks, like CoWPAtty that can crack it in seconds - in many ways, making it worse than WEP.
Why Fix Something that Isn't Broken?
The abysmal failure of WPA2 to gain widespread adoption has not prompted the industry to question why (almost) no one is using it. Serious debate and changes in the telecommunications industry to adopt better technology and new standards will be needed before WEP is entirely eliminated.
WEP is still pervasive in large part because wireless equipment manufacturers and industry groups failed to take decisive action to totally replace it and continue to manufacture equipment that supports it. WPA2 is still a security configuration option (and alphabetically WEP is first in most lists). Many users are simply unaware of the difference.
There is also the reluctance to switch from existing protocols until there is an incident that demands it. This translates to the maxim: Why fix something that isn't broken? Unfortunately, this common sense rule can be very costly when applied to security. WEP is broken, but most users don't know it. The feeling is that if WEP weren't "good enough", why would the protocol still be supported by network equipment?
Consumer awareness is one aspect. Even among the technically knowledgeable, there is little appreciation of the distinction between WPA, WPA2-PSK and the only truly strong
protocols: WPA2-Enterprise. All others suffer risk of Man-In-The-Middle attacks, brute-force guessing, or key exchange compromises. The dictionary vulnerability risk of WPA2-PSK can be more vulnerable than WEP.
WPA2-Enterprise is the best solution, but many businesses just don't have back-end RADIUS authentication and LDAP identity management servers or IT with the level of knowledge required to use them, so they accept the risk
The WirelessWall Architecture
WirelessWall is a government certified (FIPS 140-2) wireless security suite used by the military and DoE. Renowned for its investment protection value, WirelessWall adds WPA2-Enterprise grade protection to the current network as a software-only solution instead of replacing legacy wireless hardware and firmware. The DoD 8100-2 directive is mandate for federal and state governments to provide standards based end-to-end strong security. WirelessWall satisfies this directive and was assessed by the Joint Interoperability Testing Center (JITC) for use by Coalition Forces. This high level of protection is now being used to benefit the private sector and retail to eliminate hacking or sniffing end-to-end.
Even if terminals and WiFi gear only support WEP or no security at all, WirelessWall adds a blanket of strong encryption without any reconfiguration. Because it bundles WiFi AES encryption with RADIUS, LDAP and Firewall Policies all in one package.
This solution allows you to meet the compliance requirements listed below.
Table 1 - PCI DSS 1.2 Compliance
PCI DSS Mandate Requirements
--------------------------------------------- -----------------------
Install and maintain a firewall configuration
to protect cardholder data 1.1, 1.2, 1.3, 1.4, 1.5
Do not use vendor-supplied defaults for system
passwords and other security parameters 2.1, 2.2, 2.3
Encrypt transmission of cardholder data across
open, public networks 4.1, 4.2
Develop and maintain secure systems and
applications 6.1, 6.2, 6.3, 6.5
Additionally, it is simpler to deploy and administer, and more cost effective than having those in a separate back-end (although it will support external services if needed).
WirelessWall supports all wireless gear: all 802.11 protocols, WiMax 802.16e, Mesh and 4G. Using WirelessWall gives you everything for a fraction of the cost and none of the inconvenience of alternatives.
Contact: TLC-Chamonix, LLC
120 Village Square Suite
11 Orinda , CA 94563, USA
Phone : +1-877-479-4500
E-Mail:info@tlc-chamonix.com
http://wirelesswall.com/
http://wirelesswall.com/markets/pos/POS-mandate-brochure.pdf
