The Deadline to comply with PCI DSS requirements, set for Level 1 Merchants by VISA, recently passed on Sept. 30, 2010. However, what we do not yet know is how many of these merchants have successfully met the compliance requirements.
Knowing the ‘path to compliance’ experienced by various merchants, who have achieved compliance or are unable to do so within the deadline, will surely provide useful insights, such as understanding the prevailing vulnerabilities and problems faced at various stages of the compliance process. These insights have the potential to further improve the compliance process and methodology for merchants. Also, these can bring about refinements in compliance requirements, making them more effective in protecting cardholder data from known and upcoming threats/vulnerabilities.
One such insight was recently reported by AirTight Networks, which states that there is very high incidence of wireless vulnerabilities and poor wireless security practices among organizations subjected to PCI DSS. The insight was based on the analysis of wireless scanning data, collected by AirTight, using its SpectraGuard® Online PCI wireless compliance scanning service during a six-month period in over 200 cardholder data environments (CDEs) that were on their way to achieving PCI compliance using the automated scanning service.
Further, the vulnerabilities detected were found to violate multiple PCI DSS wireless requirements, mentioned in the PCI DSS Wireless Guideline issued in July 2009. Some of the commonly violated requirements were 2.1.1, 1.2.3 and 4.1.1.
Among other findings reported by AirTight, Rogue AP continued to be major pain point for organizations, along with prevalence of vulnerable authorized wireless clients, such as wireless POS, smartphones and laptops within various organizations. In our conclusions, AirTight found that only 24% of enterprises came completely clean in the assessment.
Looking over the findings, it is obvious that many organizations are still affected by some of the most common wireless threats, such as Rogue AP and poor WiFi security configurations, which can easily risk cardholder data processed by these organizations. Here, merchants can easily appreciate the mandated wireless scanning imposed by PCI DSS as one of the requirements.
Hence, after glancing through AirTight’s insights, it can be said that similar findings, when reported by other companies/merchants involved in the PCI compliance process, can prove helpful to understand and appreciate the need for a compliance process. As has been said by many experts already, PCI compliance should not be taken by merchants as a burden and a tick off requirement; rather, they should understand the underlying tone of compliance that proactively protects them from various security threats capable of damaging their brand and business.
Merchants, therefore, should always implement the correct and effective procedures to achieve compliance in their true spirit. It will help take their businesses to the next higher level in terms of operational efficiency and differentiated brands.