People who just looked at section 4.1, the single paragraph which specifically addresses wireless security in the PCI DSS, were overlooking critical compliance and security information. There was also confusion about how to implement the more general data security standards in a wireless environment
San Francisco, CA (PRWEB) August 17, 2009
Unifying IT controls simplifies compliance and cuts costs, as demonstrated by the recent release of The PCI Security Standards Council's "Wireless Security Guide," created in response to feedback from retailers and other businesses claiming that wireless guidance in the Payment Card Industry Data Security Standard (PCI DSS) was too ambiguous.
Many of the issues that businesses were struggling with such as scope and segmentation are already detailed in PCI DSS, including processes that could enable businesses to secure wireless systems compliantly with no new investments in infrastructure. But the information is scattered throughout 74-pages of PCI documentation.
"People who just looked at section 4.1, the single paragraph which specifically addresses wireless security in the PCI DSS, were overlooking critical compliance and security information. There was also confusion about how to implement the more general data security standards in a wireless environment," says Dorian Cougias, founder and Lead Analyst of Network Frontiers, a provider of IT regulatory compliance management solutions. Network Frontiers' Unified Compliance Framework (UCF) rationalizes IT controls from over 400 international regulatory requirements, standards and guidelines into a single set of straightforward requirements.
Network Frontiers' team worked closely with the PCI DSS Wireless Security Special Interest Group to create the PCI Wireless Security guide. Network Frontier's compliance experts hosted the group discussion forum, created the graphics used in the report and did much of the editing for the report. Network Frontiers also supplied the group with the 229 wireless controls, mapped to the UCF, for use in their research. All of the wireless controls cited in the PCI Wireless Security guide were already present in the UCF.
During the process of creating the guide, participants noted that much of the confusion regarding PCI and wireless security centered on what parts of a business' wireless network are in scope and must be secured in accordance with PCI guidelines (short answer: wireless is always in scope when PCI compliance is being assessed). Segmentation was another area of concern for some businesses: even if Wi-Fi is not used to transmit payment card data, wireless networks must be completely segmented from sensitive cardholder data.
Other areas addressed in the Wireless Security guide include the importance of maintaining hardware inventories and reconciling that inventory with quarterly network scans to help insure that rogue devices haven't crept onto the network.
Many businesses must comply with multiple government and industry regulations. The UCF enables organizations to easily define the commonalities among multiple regulatory bodies, leverage policies, processes and tools already in place, and dramatically cut the cost and time invested in compliance efforts.
The UCF database is licensed by leading governance, risk and compliance (GRC) vendors including Archer, McAfee, CA, Compliance Spectrum, NEMEA, NetIQ, PolicyTech, TruArx, Lumension, and ControlScan.
The PCI DSS wireless security guide can be viewed here: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf
# # #