The challenges of meeting Payment Card Industry (PCI) security standards and the horror stories of failing to comply continue to grow. Security breaches at several major retailers have resulted in estimated costs of as high as $1 billion per retailer. The U.S. Identity Theft Protection Act has established fines of up to $11,000 per customer record for databases breaches. In fact, 14 percent of retailers have suffered a breach and only 28 percent of retailers are fully compliant with PCI requirements, according to the Retail Systems Alert Group 2006-2007 Retail Data Security study. Since that study, retailers are taking notice, and compliance rates are steadily increasing.<\/p>\n
Merchants who do not comply are at risk for fines, higher processing fees and even the loss of card-processing privileges. PCI implementation costs are a major concern for many businesses, even if the cost of noncompliance is potentially so much higher. Consider that the cost of new preventative measures only averages 4 percent of the total breach cost, or $180,000.1<\/sup><\/p>\n Amid these concerns, it is easy for retailers to lose sight of both the big picture and important details. PCI compliance is a major milestone, but it is only a means to an end of having secure processes, networks, data, devices, and peripherals. If a single networked device is non-compliant, the entire network and the retail information systems behind it are all non-compliant. This is why protecting peripherals is an essential, if somewhat overlooked, component of PCI compliance.<\/p>\n This white paper explains how PCI Data Security Standard (DSS) version 1.2 applies to wireless peripherals and presents options for including secure wireless printers in PCI-compliant wireless networks.<\/p>\n <\/p>\n Many retailers are unwittingly out of compliance with PCI DSS v1.2 because they do not realize its scope, particularly how the standard applies to peripherals. Because of the tougher wireless security requirements included in PCI DSS v1.2, many wireless computers, printers and other peripherals retailers use every day do not comply.<\/p>\n There is no reason for a printer to be a weak link in wireless network security. Wireless printers<\/a> can support PCI requirements and other advanced protocols and strategies used to protect mobile computers<\/a>, POS stations<\/a> and other wireless devices. Supported security includes 802.11i, 802.1x, LEAP, WPA, and WPA2 security protocols. Wireless printers support AES, IPSec, SSL and other advanced encryption and authentication protocols, and can be included in virtual private networks (VPNs).<\/p>\n The primary changes from PCI version 1.1 to version 1.2 that affect wireless printers include:<\/p>\n The new revisions to PCI DSS version 1.2 increases data security and helps minimize the risk of data breaches that can challenge the positive public perception of the security practices of retail merchants and financial institutions involved in the payments chain. There are 12 major requirements that all must be met to comply with PCI DSS v1.2. The sections that follow present the most relevant requirements, and tips for meeting them. 2<\/sup><\/p>\n At one time, it was common to deploy wireless LANs secured with default passwords and security configurations, but the industry has largely abandoned this practice in favor of more secure methods. To comply, activate security settings during installation (some systems default to security turned off), and create original passwords. Businesses should review older systems to make sure they are compliant.<\/p>\n PCI considers wireless LANs to be public networks. This requirement also covers Internet and cellular transmissions, which therefore applies to merchants who wirelessly process payments for delivery, service, home sales, and other remote commerce. WPA, WPA2, 802.1x, 802.11i and other standard wireless LAN security protocols provide data encryption, as do wide-area cellular networks. New wireless networks should now start implementing industry best practices such as IEEE 801.11x.<\/p>\n This requirement applies to wired and wireless, stationary and mobile, and local or Web communications over public networks. Support for SSL, TLS, and IPsec is available for wireless printers. Pay careful attention to specifications because there are different varieties of these protocols (e.g., EAP, LEAP, PEAP), so compatibility with the network infrastructure is not assured.<\/p>\n New wireless implementations can no longer deploy WEP. Existing wireless implementations must cease using WEP after June 30, 2010. <\/strong>Until that date, networks and devices can use WEP if the network also deploys WPA, WPA2, or a VPN. If WEP is used, do the following:<\/p>\n The new requirement disallows sending primary account numbers (PANs) through text-based communications without first encrypting the PAN. Test-based communications include e-mail, instant messaging, chat, and short message service (SMS).<\/p>\n Other requirements of PCI DSS v1.2 relate to networks, applications and IT infrastructure, so printers and other peripherals must be compatible with enterprise IT policies and standards. Additional PCI components that may impact printers include:<\/p>\n Meeting all these requirements may seem complex and burdensome, but in fact, it is quite manageable. Many retailers have complied with PCI DSS v1.2 and use wireless printers for shelf labeling, markdown management, stock keeping, returns processing, assisted shopping, portable POS, and other applications daily.<\/p>\n None of the PCI DSS v1.2 wireless requirements calls for products or technologies that do not yet exist. In fact, securing wireless printers may be one of the easier aspects of PCI compliance because products are already available that support the necessary security protocols. In addition, automated management applications are available to reduce much of the traditional configuration and upgrade time requirements and costs, especially for remote devices. The following sections describe specific security capabilities and management options for wireless printers from Zebra Technologies.<\/p>\n Zebra Technologies provides flexible, standard, and current security solutions configurable on mobile, tabletop, and mobile art<\/a>-mounted printers. Many models support WPA, WPA2, and other PCI requirements and are fully compatible with LEAP and other security protocols used in 802.11b\/g\/i\/x wireless networks from Cisco Systems, Motorola<\/a> and other providers.<\/p>\n Different security levels and protocols can be implemented in each type of Zebra printer<\/a>\u00e2\u20ac\u201dmobile, tabletop and cart-mounted. The exact security available depends on the printer model, connection method and radio model used. Support referenced in this white paper applies only to radios tested and approved by Zebra for use with its printers. Zebra frequently updates security support, so check www.zebra.com<\/a>, or speak with a Zebra representative for the most current information. Mobile models work on wireless networks through integrated radios, while cart-mounted and stationary wireless printers use a print server for access to the wireless network. Table 1 summarizes the security available for Zebra wireless printers.<\/p>\n Table 1: Quick Reference to Wireless Security Available for Zebra Printers<\/p>\nTake Network Security Seriously<\/h2>\n
How PCI DSS v1.2 Applies to Printers<\/h2>\n
\n
\n
PCI DSS v1.2 Requirement 2\u00e2\u20ac\u201dDo not use vendor-supplied defaults for system passwords and other security parameters.<\/h3>\n
Requirement 4\u00e2\u20ac\u201dEncrypt transmission of cardholder data across open, public networks.<\/h3>\n
Requirement 4.1\u00e2\u20ac\u201dUse strong cryptography and security protocols such as secure sockets layer (SSL)\/transport layer security (TLS) or Internet protocol security (IPsec) to safeguard sensitive cardholder data during transmission over open, public networks.<\/h3>\n
Requirement 4.1.1\u00e2\u20ac\u201dEnsure wireless networks transmitting cardholder data, or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.<\/h4>\n
\n
\n
\n
\n
Requirement 4.2\u00e2\u20ac\u201d Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).<\/h4>\n
\n
\n
Security Options for Zebra \u00c2\u00ae<\/sup> Wireless Printers<\/h2>\n