IMGCAP(1)]
ISOs with clients using wireless terminals should take notice when the Payment Card Industry Security Standards Council releases an update Oct. 1 to the primary data standard.
The council is requiring Wi-Fi protected access, called WPA encryption, instead of wired equivalent privacy, or WEP, which experts say is fraught with weaknesses. The move away from WEP creates a sales opportunity for ISOs and agents, according to Adil Moussa, an analyst at Boston-based Aite Group LLC.
"Those ISOs and acquirers that are sales-minded probably are going to take advantage of any sort of PCI-compliance changes to cross-sell other products or upgrade their merchants," Moussa says. Agents can call merchants about their wireless terminals and then inquire about other services they may need, he suggests.
Merchants will need help because wireless terminals can be difficult to understand, says Dmitriy Lerman, director of marketing and products for South Plainfield, N.J.-based mobile point-of-sale terminal company Charge Anywhere LLC. "These are people who are into the business of selling shoes, pizza and other things; they are not experts in Wi-Fi," Lerman says.
Wireless terminals that operate on cellular communication networks, such as AT&T and Verizon, do not suffer from the same security risks as those running on Wi-Fi , according to Lerman.
Large merchants are expected to comply with new security standards, Lerman says, because they tend to have larger budgets for such purposes. But "we have been proven incorrect on that point with some major security breaches," he says.
Smaller merchants have difficulty applying new standards because they lack the resources of larger merchants, Lerman adds. He suggests smaller merchants use a consulting service to help with new standards to help avoid data breaches.
Michael LaBarge, president and CEO of Reston, Va.-based Datassurant Inc., says some merchants are shying away from Wi-Fi-enabled wireless terminals because of past retail security breaches.
Big Reason for Change
The most celebrated data breach involving WEP happened at Framingham, Mass.-based TJX Cos. Inc. in 2006.
Fraudsters compromised approximately 89 million payment card accounts when they used a WEP-based wireless connection to access customer information on TJX's server. Court documents show the company planned a conversion to WPA, but TJX information-technology executives delayed the process. When the council released the first PCI standard in 2004, WEP still was allowed to encrypt payment data on wireless local area networks.
Version 1.1 of the PCI standard released in 2006 declared WEP inadequate on its own for wireless networks handling payment card data, but retailers use it with the more-secure Wi-Fi protected access. However, the council says Wi-Fi-protected access, or WAP, is acceptable on its own for handling card data.
"We're letting merchants know there are authentication issues with WEP, and we want to make sure that they are aware they should be moving away from WEP," says Bob Russo, general manager of the Wakefield, Mass.-based council. Merchants have time to make the change, Russo says.
Version 1.2 of the security standard changes the requirement for encrypting a connection to a broadband-wireless network to a more secure measure. The update says "new implementations of WEP are not allowed after March 31, 2009," and "current implementation must discontinue use of WEP after June 30, 2010." The new standard is one of the few changes to version 1.2, which is intended to clarify standard from version 1.1
Version Clarifies Standards
The council releases periodic summaries of changes to the standard to give merchants time to prepare, Russo says. "We didn't want to spring [the changes] on people all at once," Russo says. Most of version 1.2 will focus on clarifications and eliminate redundancies from version 1.1.
"The majority of what's changing in here is clarifications and further defining what we actually mean when we say you need to do something on a relatively frequent basis," Russo says.
The council plans to update the standard every two years. Moussa says no one can guarantee Wi-Fi-protected access will be the standard by then. "Everybody was thinking [WEP] was the greatest thing a couple of years" ago, he says.
Russo says the council can tweak version 1.2 before Oct. 1, based on comments from merchants, card companies and data-security companies.
