Maitre'D POS
PayFacto Homepage
Français Payment Docs Center Contact Us

PA-DSS requirement 6.1

Securely implement wireless technology

Maitre’D supports a wide range of wireless handheld devices and tablets. Also, more and more sites want to offer wireless internet access to their customers. Combining these two factors can pose some serious security challenges if it’s not done properly.

There are far too many wireless routers and access points available on the market today to list all of them here or to give detailed setup instructions for them all. However, here are some guidelines that need to be followed in order to implement a secure wireless network to be used with Maitre’D. Please refer to your hardware’s documentation for instructions specific to your devices.

Physical segmentation

  1. Use separate devices to be used for general internet access and for the secured Maitre’D network

  • If the merchant provides free and unsecured Wi-Fi for customers, make sure that a completely separate device is used for that purpose, and make sure that this unsecured wireless network cannot “see”, connect or interact with the Maitre’D network in any way, shape or form.

  • Although some devices have a “guest access” feature, which is meant to allow internet access to guests while blocking access to other computers, it is not recommended to use it. Using a separate device for your guests is much more secure.

  • In addition to using a separate device for general Wi-Fi access, this type of access needs to be segregated to its own network segment.

  1. Install a firewall between any wireless networks and systems that store cardholder data.

  • If wireless devices are used as point of sales, the wireless network that supports them must be separated from the Maitre’D Back-Office network by a firewall.

  • Any wireless traffic (including specific port information) should be documented.

  • A “Deny all” rule must be present and only authorized traffic is permitted between the wireless environment and the cardholder data environment

Encryption

  1. Enable encryption

  • Use Wi-Fi Protected Access II (WPA2) encryption for your wireless network. WPA2 is more complex and more secure than WPA. WPA2 is required to comply with industry best practices as described in IEEE 802.11i-2004 standard.

  • DO NOT use WEP encryption. This type of encryption has been proven insecure and very easy to breach. In fact, the use of WEP encryption as a security control is prohibited by the PCI SSC since June 30th, 2010. If your device does not support WPA2 or better encryption, see if an update is available from the manufacturer of your device. If not, you will need to have that device replaced to remain PCI DSS compliant.

  • AVOID using WPA encryption. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities until the more secure WPA2 encryption was developed. While still technically allowed by the PCI SSC, this type of encryption is not as secure as WPA2. If your device does not support WPA2 or better encryption, see if an update is available from the manufacturer of your device.

  1. Use long and complex passphrases

  • The WPA2 passphrase consists of a string comprised of 8 to 63 printable ASCII characters. Although WPA2 uses strong encryption, it is still vulnerable to password cracking attacks if the user relies on a weak passphrase.

  • Use a passphrase comprised of at least 20 characters, containing a mix of capital and lower case letters, mixed in with numbers and special characters. Contrary to a password, passphrases need to be entered only once and do not need to be memorized, therefore they can be more complex.

  • Even though it is called a “passphrase”, do not use any dictionary word in any language. Also, never use personal information such as your name, your spouse’s name, your children’s names, birthdates, phone numbers, etc

Change vendor’s default settings

  1. Change the default username and password to access your router or wireless access point.

  • Most manufacturers use a default username and password used to configure the device after it’s first taken out of its box. These usernames and passwords are the same for every single device from a given manufacturer, so it is absolutely imperative to change them as soon as possible, and use strong passwords. Refer to PA-DSS requirement 3.1 for guidance on strong passwords.

  1. Change the default Service Set Identifier (SSID) of your wireless network.

  • Using the default “out-of-the-box” SSID for a wireless network tells wouldbe hackers that your wireless network was setup by a novice, and that other settings may also have been left to their default values.

  • The complexity of the SSID has no real impact on security, however bear in mind that it is used as a “salt” with WPA2 encryption. Hackers use Rainbow Tables containing hashes obtained from common SSID’s and common passphrases to speed up brute force or dictionary attacks. For this reason, you should avoid using any SSID that is in the top-1000 SSID’s list found at https://wigle.net/stats#ssidstats.

  • When defining an SSID, make sure to use something unique, that you can easily remember and identify, without giving clues as to the network usage or the hardware in use.

  • Do not use an SSID which could give hints or clues as to the make or model of your Wi-Fi router or access point, such as “LinksysWRT54G” for instance.

  • Do not use an SSID which could suggest what your network is used for, such as “WiFi for credit cards” or “MaitreD Wireless”.

Filtering

  1. Enable MAC Address filtering on your access point or router.

  • Every single networking device on the planet has a unique hardware address known as a MAC Address. For the Maitre’D wireless network, make sure that only known MAC Addresses are allowed. All modern wireless routers and access points should allow you to configure a list of allowed MAC addresses.

  • Remember that MAC Address filtering does not replace strong encryption. It should be used in addition to WPA2 encryption.

SSID Broadcast

  1. Do NOT disable SSID Broadcast.

  • Disabling SSID broadcast causes your router or access point to stop advertising (broadcasting) its SSID. This may sound like a good thing, but it’s really not.

  • First of all, finding a “hidden” SSID is a trivial effort for anyone with minimal knowledge in Wi-Fi technology. Tools readily available on the internet allows anyone to easily find any SSID in minutes.

  • Secondly, disabling SSID Broadcast forces connecting devices (handhelds, tablets, etc.) to constantly transmit the SSID in their requests to the wireless router. In turn, this allows a hacker to impersonate your router using a laptop or even a smartphone and obtain your credentials that way. Also note that connecting devices will continue to call out for the wireless router even when out of range, which may get these devices compromised

  • Most (if not all) wireless routers and access points have SSID Broadcast enabled by default. Be sure to leave it enabled, even if it may seem counter-intuitive.

WPS PIN Recovery

  1. Disable WPS PIN Recovery

  • Wi-Fi Protected Setup (WPS) is a security protocol created by the Wi-Fi Alliance and introduced in 2006. The goal of this protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access (WPA), as well as making it easy to add new devices to an existing network without entering long passphrases.

  • A major security flaw was revealed in December 2011 that affects wireless routers with the WPS PIN feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key.

  • Given this security flaw, the WPS PIN Recovery feature needs to be disabled. If your router or access point does not allow for this feature to be disabled, see if a firmware update is available from the manufacturer or have the device replaced.

Remote Login

  1. Disable remote login for your router.

  • Some routers allow remote management through some form of remote access tool, allowing you to connect to your router from anywhere in the world. Make sure to completely disable that feature.

  • If you need to remotely manage your router for whatever reason, only enable the access for the time it is required, and make sure to change the default username and password

Wireless Administration

  1. Disable wireless administrati

  • Some wireless routers and access points allow the device to be managed wirelessly. Make sure to disable that feature. This will force you to use a network cable in order to connect to the router to manage its settings, but it also prevents anyone within range from trying to hack into your router’s setup program wirelessly.

SNMP Protocol

  • Simple Network Management Protocol (SNMP) is an Internet-standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks and more.

  • This protocol is more often used on enterprise-grade equipment, but some smalloffice and even home-user devices now feature SNMP capability.

  • Malicious users may use the SNMP protocol to gain knowledge of the network topology and use this knowledge to identify and target more vulnerable systems.

  • SNMP uses passwords known as “Community Strings” for authentication. There are generally two community strings: One for read-only access, and one for readwrite access. The default community string that provides the monitoring or read capability is often "public". The default management or write community string is often "private".

  • If the SNMP protocol is not actively being used, it should be disabled altogether. If it is being used, then it is imperative that both monitoring and management community strings be changed from their default manufacturer’s values, which are well-known by any would-be attacker.

Updates

  1. Update your devices’ firmware

  • All wireless routers and access points have internal software that makes them work. This software is burnt onto special memory chips and is referred to as “Firmware”. From time to time, manufacturers will release new firmware versions for your devices to fix bugs, improve functionality or patch security issues. Make sure to check your manufacturer’s website periodically and update the firmware as soon as a new version becomes available.

PreviousPA-DSS requirement 5.4.4NextPA-DSS requirement 6.2

Last updated

Logo