Hiding SSIDs doesn't equal PCI DSS wireless compliance
Combating wireless LAN security risks can be tricky and stressful enough even for a veteran networking pro, but the stakes get even higher when a slip-up could cost millions in non-compliance fees and stolen credit card data. Although the PCI DSS wireless guidelines released last year sought to dispel any confusion about wireless LAN security risks, enterprises are still neglecting security requirements and falling prey to old WLAN wives' tales.
"A lot of people think they have good wireless security, but they don't understand what wireless security is. You cannot protect wireless the same way you protect wired," said John Kindervag, senior analyst at Forrester Research, who recently authored PCI X-Ray: Wireless Guidelines. "Wireless [networking] requires an enhanced level of paranoia. If you're deploying wireless and you're not paranoid, you're not doing it right."
Not every PCI DSS wireless guideline should be interpreted as a compliance requirement -- such as "generally applicable" statements -- but should be considered de facto wireless LAN security best practices even for enterprises that don't fall under compliance mandates, Kindervag said.
