Achieving PCI DSS v1.2 Compliance on Wireless Printers

Posted May 11, 2010

Executive Summary

The challenges of meeting Payment Card Industry (PCI) security standards and the horror stories of failing to comply continue to grow. Security breaches at several major retailers have resulted in estimated costs of as high as $1 billion per retailer. The U.S. Identity Theft Protection Act has established fines of up to $11,000 per customer record for databases breaches. In fact, 14 percent of retailers have suffered a breach and only 28 percent of retailers are fully compliant with PCI requirements, according to the Retail Systems Alert Group 2006-2007 Retail Data Security study. Since that study, retailers are taking notice, and compliance rates are steadily increasing.

Merchants who do not comply are at risk for fines, higher processing fees and even the loss of card-processing privileges. PCI implementation costs are a major concern for many businesses, even if the cost of noncompliance is potentially so much higher. Consider that the cost of new preventative measures only averages 4 percent of the total breach cost, or $180,000.1

Amid these concerns, it is easy for retailers to lose sight of both the big picture and important details. PCI compliance is a major milestone, but it is only a means to an end of having secure processes, networks, data, devices, and peripherals. If a single networked device is non-compliant, the entire network and the retail information systems behind it are all non-compliant. This is why protecting peripherals is an essential, if somewhat overlooked, component of PCI compliance.

This white paper explains how PCI Data Security Standard (DSS) version 1.2 applies to wireless peripherals and presents options for including secure wireless printers in PCI-compliant wireless networks.

Take Network Security Seriously

Many retailers are unwittingly out of compliance with PCI DSS v1.2 because they do not realize its scope, particularly how the standard applies to peripherals. Because of the tougher wireless security requirements included in PCI DSS v1.2, many wireless computers, printers and other peripherals retailers use every day do not comply.

There is no reason for a printer to be a weak link in wireless network security. Wireless printers can support PCI requirements and other advanced protocols and strategies used to protect mobile computers, POS stations and other wireless devices. Supported security includes 802.11i, 802.1x, LEAP, WPA, and WPA2 security protocols. Wireless printers support AES, IPSec, SSL and other advanced encryption and authentication protocols, and can be included in virtual private networks (VPNs).

How PCI DSS v1.2 Applies to Printers

The primary changes from PCI version 1.1 to version 1.2 that affect wireless printers include:

  • Wireless networks and devices should implement the latest industry best practices (802.11x).

  • Wireless networks and devices can no longer use WEP after June 30, 2010.

  • Wireless networks and devices can no longer send unencrypted primary account numbers (PANs) using end-user messaging systems.

The new revisions to PCI DSS version 1.2 increases data security and helps minimize the risk of data breaches that can challenge the positive public perception of the security practices of retail merchants and financial institutions involved in the payments chain. There are 12 major requirements that all must be met to comply with PCI DSS v1.2. The sections that follow present the most relevant requirements, and tips for meeting them. 2

PCI DSS v1.2 Requirement 2—Do not use vendor-supplied defaults for system passwords and other security parameters.

At one time, it was common to deploy wireless LANs secured with default passwords and security configurations, but the industry has largely abandoned this practice in favor of more secure methods. To comply, activate security settings during installation (some systems default to security turned off), and create original passwords. Businesses should review older systems to make sure they are compliant.

Requirement 4—Encrypt transmission of cardholder data across open, public networks.

PCI considers wireless LANs to be public networks. This requirement also covers Internet and cellular transmissions, which therefore applies to merchants who wirelessly process payments for delivery, service, home sales, and other remote commerce. WPA, WPA2, 802.1x, 802.11i and other standard wireless LAN security protocols provide data encryption, as do wide-area cellular networks. New wireless networks should now start implementing industry best practices such as IEEE 801.11x.

Requirement 4.1—Use strong cryptography and security protocols such as secure sockets layer (SSL)/transport layer security (TLS) or Internet protocol security (IPsec) to safeguard sensitive cardholder data during transmission over open, public networks.

This requirement applies to wired and wireless, stationary and mobile, and local or Web communications over public networks. Support for SSL, TLS, and IPsec is available for wireless printers. Pay careful attention to specifications because there are different varieties of these protocols (e.g., EAP, LEAP, PEAP), so compatibility with the network infrastructure is not assured.

Requirement 4.1.1—Ensure wireless networks transmitting cardholder data, or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.

  • For new wireless implementations, it is prohibited to implement WEP after March 31, 2009.

  • For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

New wireless implementations can no longer deploy WEP. Existing wireless implementations must cease using WEP after June 30, 2010. Until that date, networks and devices can use WEP if the network also deploys WPA, WPA2, or a VPN. If WEP is used, do the following:

  • Use with a minimum 104-bit encryption key and 24 bit-initialization value.

  • Rotate shared WEP keys at least quarterly and whenever there are changes in personnel with key access.

  • Restrict access to MAC addresses.

Requirement 4.2— Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).

The new requirement disallows sending primary account numbers (PANs) through text-based communications without first encrypting the PAN. Test-based communications include e-mail, instant messaging, chat, and short message service (SMS).

Other requirements of PCI DSS v1.2 relate to networks, applications and IT infrastructure, so printers and other peripherals must be compatible with enterprise IT policies and standards. Additional PCI components that may impact printers include:

  • Requirement 1—Install and maintain a firewall to protect cardholder data.

  • Requirement 6—Develop and maintain secure systems and applications.

  • Requirement 8—Assign a unique ID to each person with computer access.

  • Requirement 10—Track and monitor all access to network resources and cardholder data.

  • Requirement 11—Regularly test security systems and processes.

  • Requirement 12—Maintain a policy that addresses information security for employees and contractors.

Meeting all these requirements may seem complex and burdensome, but in fact, it is quite manageable. Many retailers have complied with PCI DSS v1.2 and use wireless printers for shelf labeling, markdown management, stock keeping, returns processing, assisted shopping, portable POS, and other applications daily.

None of the PCI DSS v1.2 wireless requirements calls for products or technologies that do not yet exist. In fact, securing wireless printers may be one of the easier aspects of PCI compliance because products are already available that support the necessary security protocols. In addition, automated management applications are available to reduce much of the traditional configuration and upgrade time requirements and costs, especially for remote devices. The following sections describe specific security capabilities and management options for wireless printers from Zebra Technologies.

Security Options for Zebra ® Wireless Printers

Zebra Technologies provides flexible, standard, and current security solutions configurable on mobile, tabletop, and mobile art-mounted printers. Many models support WPA, WPA2, and other PCI requirements and are fully compatible with LEAP and other security protocols used in 802.11b/g/i/x wireless networks from Cisco Systems, Motorola and other providers.

Different security levels and protocols can be implemented in each type of Zebra printer—mobile, tabletop and cart-mounted. The exact security available depends on the printer model, connection method and radio model used. Support referenced in this white paper applies only to radios tested and approved by Zebra for use with its printers. Zebra frequently updates security support, so check, or speak with a Zebra representative for the most current information. Mobile models work on wireless networks through integrated radios, while cart-mounted and stationary wireless printers use a print server for access to the wireless network. Table 1 summarizes the security available for Zebra wireless printers.

Table 1: Quick Reference to Wireless Security Available for Zebra Printers

QL Plus™, RW™ QL Plus, RW, MZ™, PS4000™ GX™ series, HC100 ZebraNet® Wireless Plus Print Server ZebraNet® Internal Wireless Plus Print Server
WLAN-SECURITY Motorola® Symbol 11b (LA-4137 CF) Zebra 802.11b/g Zebra 802.11b/g Motorola® Symbol 11b (LA-4137 CF) Cisco® 802.11b/g (CB21) Zebra 802.11b/g
WEP Yes Yes Yes Yes Yes Yes
IEEE 802.1X Authentication schemes
LEAP Yes Yes Yes Yes Yes Yes
EAP-FAST Yes Yes Yes Yes Yes Yes
PEAP Yes Yes Yes Yes Yes Yes
EAP-TLS Yes Yes Yes Yes Yes Yes
EAP-TTLS Yes Yes Yes Yes Yes Yes
(WPA) Wi-Fi® protected Access: 802.1X + WPA TKIP
with LEAP Yes Yes Yes Yes Yes Yes
with EAP-FAST Yes Yes Yes Yes Yes Yes
with PSK (Pre-shared Key) Yes Yes Yes Yes Yes Yes
with PEAP Yes Yes Yes Yes Yes Yes
with EAP-TLS Yes Yes Yes Yes Yes Yes
with EAP-TTLS Yes Yes Yes Yes Yes Yes
IEEE 802.11i =(WPA2):802.11x + AES encryption
Airbeam Safe-VPN Yes Yes No No No No

Managing Security on Zebra Printers

Wireless security is dynamic and evolving. Wireless infrastructures—including printers and their management tools—must be flexible enough to enable change so users can easily implement the latest upgrades and options to optimize their network security.

Zebra offers powerful management options that make it simple to deploy, monitor, configure, and upgrade security protocols on Zebra printers, such as ZebraNet™ Bridge Enterprise. Businesses can also manage select Zebra mobile printers with Motorola’s Mobility Services Platform (MSP) and Wavelink Corp.’s Avalanche software—both applications provide a complete management environment for multiple types of wireless devices from different manufacturers.

Using ZebraNet Bridge Enterprise, Motorola MSP or Wavelink Avalanche® network management utilities, system administrators can remotely implement software updates and security upgrades, configure devices, and modify settings. With these tools and Zebra wireless printers, IT administrators can maintain complete visibility and control over the devices from a single, remote console—without ever having to physically touch the printers. The ability to effectively manage and secure all types of mobile devices from a single point significantly reduces the support costs across an enterprise’s wireless network.

Lock Down Wireless Network Security

In the major effort to bring data centers and enterprise systems into PCI compliance, it is easy to overlook a legacy stock keeping or shelf labeling application at a distant store. However, it only takes one oversight to put your entire system, your customers’ data, and your merchant status at risk. Protecting wireless printers is necessary for PCI compliance, but it is not necessarily difficult because of the advanced security and support available. Zebra offers a wide range of wireless printer solutions, networking tools and management resources to help retailers meet their security and business needs.

  1. PGP Research Study, “2010 Annual Study: Cost of a Data Breach,” February 2010.
  2. PCI Security Standards Council, “The Prioritized Approach to Pursue PCI DSS Compliance,” February 2009.

Filed under: White Paper
Tags: ,