Home » Data Protection » PCI and Compliance

Q&A

PCI Council to Merchants: Kiss Your WEP Goodbye

Bob Russo and Troy Leach of the PCI Security Standards Council explain why ending WEP is key to bolstering wireless security

By Bill Brenner, Senior Editor

August 22, 2008 — CSO —

The security savvy know WEP is full of holes and shouldn't be used. That's not stopping some merchants from doing just that.

As a result, the PCI Security Standards Council is mandating its eradication in the next two years. The first step toward that is some fresh language on wireless security in the next version of the PCI Data Security Standard (PCI DSS).

The council released a summary of PCI DSS Version 1.2 earlier this week and will officially launch it Oct. 1. Among other things, the council will remove references to WEP security and instead push organizations to use stronger forms of wireless network encryption. New WEP deployments won't be allowed after March 31, 2009, and current implementations must stop using WEP after June 30, 2010.

In this Q&A, PCI Security Standards Council General Manager Bob Russo and Technical Director Troy Leach explain the reasoning behind the move as well as other changes in Version 1.2.

CSO: What will people notice the most about Version 1.2?
Bob Russo: I think the top-of-mind here should be clarity -- making sure people understand specifically what the intent [of the standard] is. This is the culmination of two years of feedback the council has received. We've clarified specifics as to what needs to be secured. In some instances we've had to put a line in the sand and let people understand we're moving away from some things at some point.

Give an example of that.
Russo: Wireless is a major area. We've had to make some specific clarifications and let people know we are eventually moving away from WEP & We need to let people know there are other technologies available and that it's time we moved on to some of those new technologies.

What's the timetable for no longer allowing anything with WEP?
Russo: I don't think you can draw absolutes. There are always exceptions to the rules. But what we've stated in the summary is no more new implementations of WEP after March 1, 2009 and the current implementations have to stop by the end of June 2010. There will always be issues and we'll need to move slowly and deal with problems on a case-by-case basis. But we need to let people know we are moving away from WEP.

For those who may not have the background on wireless security, talk about why WEP needs to be done away with.
Troy Leach: There are inherent authentication vulnerabilities in WEP. That's why even in PCI DSS Version 1.1 we put in a lot of caveats to using WEP; a lot of additional requirements for using it. If you deploy WEP, there are sub-requirements that became a little confusing for some of the merchants so we decided to follow what the rest of the industry is pushing and move toward a [better] wireless security standard.