PCI DSS Compliance
If your organization is subject to Payment Card Industry Data Security Standard (PCI DSS) requirements, use this information to understand how the Juniper Mist™ cloud supports PCI DSS across the wired, wireless, and SD-WAN domains.
Introduction
PCI DSS was created as a common standard to protect against credit card and payment data fraud in the retail space and other industries, like banking, where online payments are made. By providing consistent security policies and best practices, PCI DSS enables security personnel and network administrators to effectively thwart various threats to payment data. PCI DSS 4.0 went into effect for assessments in March 2022.
The network is a critical cornerstone of PCI DSS compliance because it is the primary channel for transmitting payment data. PCI DSS requirements are designed to ensure that network security operations and practices eliminate or minimize known risks. PCI DSS requirements also ensure that the organization defines traceable well-structured policies, procedures, and practices that can be audited.
The wireless network is especially important to retail environments because business operations and digital engagement technologies rely on mobile connectivity. Point of Sale devices, scanners, barcode readers, printers, and mobile computers, for example, all operate on Wireless LANs (WLAN) that serve as the lifeblood of retail operations. PCI DSS compliance for wireless networks specifies two types of requirements:
- Generally applicable wireless—These requirements apply even when the wireless network is not in scope of the Cardholder Data Environment (CDE). They include strong network segmentation to protect the CDE network and security against attacks from rogue or unknown wireless Access Points (APs) and clients.
- Securing wireless in a CDE—These requirements are mandated for systems that transmit payment card information over wireless and wired technology. In addition to generally applicable wireless requirements, they impose additional security requirements for changing default passwords and configurations, using strong encryption and authentication, regular updating the system with compliant software, and monitoring access.
PCI DSS 4.0 Attestation of Compliance (AOC)
The Juniper Mist solution has been assessed by an independent PCI DSS security assessor to meet PCI DSS 4.0 Attestation of Compliance (AOC).
Cloud Security
The Juniper Mist cloud is outside the CDE environment because it does not carry any wireless packet data. Regardless, Mist takes additional measures to ensure the highest level of security in the Mist cloud to ensure security, processing integrity, and availability as listed here:
- Uses SOC2 Type 2/ISO 27001/ PCI cloud data.
- Maintains an information security policy.
- Uses network application firewalls / access control lists.
- Uses Intrusion Detection System (IDS) / Intrusion Protection System (IPS).
- Uses industry standard encryption at various levels.
- Obfuscates data stored in the cloud.
- Integrates security with development cycles, and pen tests are performed to detect vulnerabilities at the network and application.
- Performs regularly scheduled internal and external vulnerability scans.
- Implements annual security awareness training for all in-scope employees.
- Performs an annual risk assessment.
- Includes incident response plan.
- Subscribes to an annual PCI DSS Attestation of Compliance (AOC) by independent PCI DSS security assessor.
The following schemas can be implemented in a Mist environment to ensure network segmentation:
- Physical Segmentation—One way to achieve network segmentation is to connect the wireless APs on a wired network that is physically separate from the CDE network. This would imply having an overlay wired and wireless infrastructure that does not have any intersection with the wired network for the CDE environment. In this scheme, there is no firewall or Internet connection that is shared between the CDE and non-CDE networks.
-
VLAN based logical segmentation—It is common to use Virtual LANs (VLANs) to segment the networks into logical subnets. While it is possible to achieve logical segmentation by having the wireless network and the CDE in different VLANs, this methodology is not considered safe without access control policies between VLANs.
-
Firewall separation—If the WLAN is connected to the CDE, instituting a firewall between the wireless network and the CDE network is an acceptable form of segmentation that conforms to PCI DSS 4.0 requirements.
-
Software defined policy engine—Mist’s integrated WxLAN policy engine can be used to isolate any wireless traffic into the CDE environment. Mist delivers a powerful platform when it comes to creating policies for role, user, application, and resource-based access on the network through its inline policy engine, WxLAN. The Mist wireless infrastructure allows policies to be enforced on any wired network with access to the LAN blocked for all WLANs configured in the system.
To ensure that the wireless network complies with the generally applicable requirements for PCI DSS, retailers need to pay special attention to the following:
- Rogue Devices—These are accidental or malicious APs on the wired network that can be used to violate internal networks with access to all network resources.
- Honeypot devices—These are accidental or malicious APs that masquerade as sanctioned APs sending the retailer’s AP beacon.
- Non-compliant and unsanctioned APs—This category includes sanctioned APs that are out of compliance and running old firmware without critical security. It also includes APs that are neighbors or causing inadvertent interference to the wireless operations inside a retail store or warehouse.
Wireless IDP is required to handle these external devices to monitor the RF environment and isolate APs not used for cardholder data. Traditionally there have been two main ways that WLAN vendors have addressed the requirements for WIDS/WIPS compliance:
- Part-time—When not serving clients, APs scan the spectrum for rogue devices. This approach is similar to having a security solution that only works some of the time, not 24x7.
- Dedicated APs—These APs provide 24x7 security monitoring of the wireless network. While this approach ensures continuous protection, it explodes the deployment cost for additional APs plus the associated cost of installing PoE cable to the IDF/MDF to power up the sensors.
Some vendors use dual-banded radios in APs and steal a radio within an AP for sensor implementation. This approach can cause nightmares in channel planning and can result in insufficient coverage. Some vendors, while offering a tri-radio AP solution with a dedicated third radio, deploy complete overlay monitoring solutions that are orthogonal to the rest of the wireless infrastructure and controller solution. They use isolated islands of data sources, databases, visualization, and even separate controls for radio configuration, control, and provisioning.
Mist APs provide continuous 24x7 scanning of the spectrum alongside 2.4 GHz, 5 GHz, and 6 GHz client access. With this approach, Mist continually scans the spectrum for rogues, honeypots, interference, and anomalies such as unsuccessful connection attempts at a site (which might be a source for a DDoS attack).
The Mist platform maintains a baseline on key metrics for all APs, clients, locations, sites, and site-groups. Mist’s AI-powered infrastructure identifies unusual activity at every level of the network. The Mist platform can detect existing and zero-day threats. In addition, Mist’s location technology can be used to accurately locate accidental or malicious rogue devices and provide location-based access to resources.
Mist’s Machine Learning framework can be extended to behavioral analytics whereby client device capabilities can be checked against the “normal” baseline. Alerts are generated when key postures change, such as a 4x4 client device appearing as a 2x2 device, or a client device sanctioned for a California location accessing the network from New York.
Securing Wireless in the Cardholder Data Environment (CDE)
The second set of requirements applies to wireless devices on the same network where credit card data is handled. Mist allows you to conduct a PCI scan for the VLANs and Wireless LANs in scope. It helps you remediate the vulnerabilities on the wireless network and enforce policies on the wireless management system.
PCI DSS REQUIREMENTS V3.1 FOR WIRELESS | MIST CONFORMS | MIST VALUE PROPOSITION |
---|---|---|
1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks. | √ | Mist’s PCI scan report identifies the list of wireless SSIDs and APs that connect with the CDE. |
2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. | √ | Mist does not have default passwords, encryption keys or SNMP community strings. |
2.4 Maintain an inventory of system components that are in scope for PCI DSS. Maintain an inventory of system components that are in scope for PCI DSS. | √ | Mist provides a list of wireless networks and APs that are in scope of PCI DSS. |
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission. | √ | Mist supports strong encryption standards, including WPA2-PSK, and WPA2-Enterprise with AES encryption. As part of its PCI scan report, Mist calls out any weak encryption used on SSID in scope of the CDE. |
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. |
√ | Mist makes available the latest released firmware that includes any critical fix required for the integrity of the wireless network. Mist identifies any AP that has not yet been upgraded to the latest firmware. |
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. | √ | Wireless network access is restricted to authorized administrators. All authorized administrators are listed on the Mist PCI scan report. |
7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed. | √ | Mist Network Administrators are assigned roles with limited scope of access. Default administrator role is Observer (View-only). |
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data. | √ | Mist’s PCI scan report identifies the list of wireless SSIDs and APs that connect with the CDE. |
8.2 In addition to assigning a unique ID, ensure proper user- authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: • Something you know, such as a password or passphrase • Something you have, such as a token device or smart card • Something you are, such as a biometric |
√ | All Mist administrators are authenticated using either complex passwords or Two-factor authentication (2FA). |
9.1.3 Restrict physical access to APs, gateways, hand-held devices, networking/communications hardware, and telecommunication lines. | √ | Mist APs can be made physically secure with the help of screws and brackets available as part of the AP kit. Additional physical security is supported with the Kensington lock slot on the AP. |
10.1 Implement audit trails to link all access to system components to each individual user. | √ | All system access, updates and configuration changes are tracked in an audit log. |
10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. | √ | All event logs are stored in centralized servers in the Mist cloud platform that is hosted in a SOC 2 Type 2 Data Center. |
11.1 Implement processes to test for the presence of APs (802.11), and detect and identify all authorized and unauthorized APs on a quarterly basis. Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices. |
√ | Mist WIDS/WIPS allows detection of authorized and unauthorized APs on the network, eliminating the need for manually intensive wireless scans. Specifically, rogue AP detection and containment protects the CDE network from being compromised. |
Conclusion
As organizations rely more on wireless networks as a key enabler for business services, PCI DSS requires careful attention to WLAN security.
Fortunately, Mist has you covered. By protecting wireless networks from external attack and ensuring data transferred on CDE networks is always secure, the Mist Learning WLAN is a safe choice for mission critical wireless networks in PCI environments. The key difference in the Mist architecture is how the workflows have been streamlined to enable a cohesive experience for network IT, Security Operations Teams, Marketing, and other lines of business. With Mist, access layer connectivity and associated applications is now all about delivering a comprehensive, amazing, and secure experience.