Credit Card Crackdown

On the 30th of September this year, a new compliance directive will come into force from the Payment Card Industry (PCI) that will affect each and every business that accepts credit cards around the globe, including those here in Thailand. Among the directives is a requirement for merchants to secure their networks, both wired and wireless, and to audit their compliance at least once every three months.

Even if the merchant does not have a wireless LAN, they will need to prove that no rogue access points have been installed in the area and that the network is secure.

In Bangkok to explain the far-reaching implications of the directive was John Cunningham, Motorola's director of RFID and wireless for enterprise mobility, and Sujai Haleja, vice president and general manager of its enterprise WLAN division.

Haleja explained that come Sept 30th, any merchant accepting Visa, Mastercard, American Express or Discover cards can be fined up to half a million US dollars per incident for not complying with the new PCI security rules. If the non-compliance persists, they can have their rights to accept credit cards revoked.

Two years ago, US retail giant TJ Maxx had its network breached and 46.5 million credit card details were stolen. This sent the entire merchant industry into a spiral as banks rushed to re-issue cards and limit the damage.

The cost was considerable and while the banks and credit card companies absorbed the cost in that incident, it quickly became clear that better security was needed to prevent a repeat. This led to the credit card companies coming up with the PCI security directive, which will be passed down to merchants and banks.

Today, the United States is by far the most concerned with PCI compliance. Two states, Texas and Minnesota, have actually passed laws that go far beyond PCI and state that if a TJ Maxx style breach occurs today, the merchant will have to be financially responsible for replacing all the compromised cards.

Even before PCI, many US merchants were clamouring for better network defences to prevent damage to their reputation if they are hacked.

Away from the US, however, things are quite different. "Just recently, when I talked to people in industry, they said, 'PCI compliance? What's that?' Today, they are coming to me and saying, 'Oh my god, how can I do it in time?"' Cunningham, who is based in Singapore, said.

For the network part at least, Motorola has been offering a PCI-compliant solution for the past 18 months. Today, it has enhanced its offering and is now offering PCI enforcement on top of its already PCI-compliant wireless network hardware and software. Cunningham claims that Motorola is the first and so far only player to offer turnkey PCI network compliance in a box.

For instance, PCI requires that all Wi-Fi traffic is encrypted with WPA or WPA2 encryption and not the much weaker WEP. All modern wireless equipment supports all three protocols, so while the hardware may be PCI compliant, it is possible for an incorrect network policy to configure the Wi-Fi access points with WEP and render the network non PCI compliant.

Motorola has added PCI compliance enforcement to its network management tools, along with its other existing frameworks for Sarbanes-Oxley (for financial institutions) and HEPA (for healthcare).

Today, many merchants are using wireless terminals that allow the credit card to be swiped anywhere in the store. In such cases the merchant needs to ensure that the transmission is secure and cannot be eavesdropped.

Both the wired and wireless networks also need to be secured. For organisations that do not use wireless, they will still need to prove that no rogue access points have been deployed on the premise. PCI also requires that the wireless and wired networks are suitably firewalled from one another.

Every quarter, an audit needs to be conducted to ensure that there is no abnormal wireless activity happening. The Motorola solution monitors the air all the time, and reports abnormalities in real-time.

With the audit trail and compliance in place, if a breach does still occur, the fine imposed on the merchant will be less than if it was negligent. The analogy is like a house insurance policy that requires the owner to install and use a deadbolt on the front door. Motorola is like a community guard that takes note of when the door is opened and closed, and whether the owner locks it when they leave the house. If the owner does not lock the door, then they could be held responsible for a burglary.

Today Bumrungrad Hospital, which accepts credit cards as payment, is claimed as the first hospital in Asia certified PCI network compliant. It did this through a simple rule change in its existing Motorola wireless network security. For every four to six access points, there is a sensor that only listens to wireless network traffic and logs any abnormal network activity. This is fed into a forensics database log and a monitoring system that can trigger work-flows if certain conditions are met.

Motorola's RF switch is a device that takes the intelligence of the entire wireless network and puts it in one place, with each access point then just a dumb radio. This was at first intended to allow for seamless mobility among access points without the need to re-authenticate with each move. However, by extending the software, the same RF switch can use the radio infrastructure to listen to packets and audit the airwaves as per PCI. It can also use triangulation to pinpoint in real time the location of any abnormal activity.

Because the same radio logic is used for WiFi, WiMax and RFID, the same reporting and auditing system can be scaled up to wide areas, or scaled down to three to five metre circles where a certain wireless MAC address needs to be operating within a given radius of a particular RFID tag.

For instance, a doctor's notebook needs to be operated only by the doctor and any activity from that notebook MAC while the doctor's RFID badge is out of the room can be flagged as suspicious.

All of this is something that cannot be done with standard 802.11 equipment. However, merchants with basic and non-integrated networks can install just the listening and monitoring equipment for basic PCI compliance.

Asked if this means Motorola will take on IBM and HP and become a system integrator, Haleja said that for now they would prefer to work with system integrators such as HP and IBM in providing solutions but agreed that this business was quite unlike the Motorola of old.

Motorola only joined the PCI group after its acquisition of RFID specialists Symbol, whose bread and butter is in the retail industry. But it quickly became apparent that the demands of PCI network compliance and Motorola's existing wireless protection were a perfect match.

He also hinted that the world will soon be surprised as to the new direction Motorola will be taking, but said that is all he is allowed to say at this point.

However, while it is now certain that the PCI directive will come into force on 30th September, it is still unclear exactly how it will be enforced at a local level. Unlike HEPA or Sarbanes-Oxley - which both have a strong legal basis and enforcement through each country's central banks - PCI is an industry standard backed by the card issuers rather than any federal law.

Cunningham noted that SOHO or, as he puts it, "Mom and Pop shops," will escape the brunt of the regulation as they do not store credit card information themselves; they simply scan and pass on the information.

Enforcement will have to be through their banks and card issuers and the agreements they have with their merchants. Also, while the maximum penalty for non-compliance is set at half a million dollars, it is still unclear how much of a penalty will be leveraged for breaches where compliance was proven, or for partial compliance.

Both of the executives were extremely concerned as to the almost total lack of awareness in the region, even though it is clear to them that the same penalties apply whether the breach is in the United States, Europe or here in Thailand.

"It's like antivirus. I didn't buy an antivirus software until I had to go through the pain of rebuilding my notebook. Today, you don't think about it. People have to go through the pain because of a lack of security before they start to look at it seriously," Cunningham said.

Source: rfidglobal