SitePoint.com

topmonkey · Jul 2, 2009, 05:23

Hi,

I have been asked by a client to help them with becoming PCI compliant. We have everything sorted except one thing - wireless analysis. To become PCI compliant you need to use a 'wireless analyzer' to scan for vulnerabilities every quarter. The only trouble is, I haven't a clue what one of these things looks like, let alone where to get one or how to deploy one (and I have been Googling for hours)!

If anyone who has any experience of dealing with PCI Compliance can explain what my client and I need to do for this I would be very grateful.

Thanks,
TM

webdesignandmore · Jul 2, 2009, 23:45

Are there any consultants that you can hire to do this for you? This sounds like it might be cheaper.

Also, this only applies if your client uses wireless LAN for transmitting cc info. I would take a look at regulations just to make sure you really need it.

CS-Cart · Jul 3, 2009, 00:24

Approved list of scanning vendors can be found here:

https://www.pcisecuritystandards.org...sv_report.html

Personally, I'd check HackerGuardian as an option, this is a very reputable company.

topmonkey · Jul 3, 2009, 04:51

My client is already with one of these approved scanning vendors - Security Metrics. All they do is perform an external scan - whereas we need an internal (on site) scan to comply with 11.1 which says that you must carry out a minimum quarterly wireless scan of all locations or the deployment of a wireless IDS/IPS.

We asked Security Metrics for help on how to comply with this and this was their response:

Quote:

We appreciate your question as to how to comply to 11.1.

As it specifies, you need a system in place to "identify all wireless
devices in use". You can do this with the use of a wireless analyzer,
wireless Intrusion Detection System (IDS), or Intrusion Prevention
System (IPS). If you already have one of those programs and it is
successfully identifying all of the wireless devices in use, then you
can mark that you can comply to this question by recording a 'yes'
answer. If you do not currently have any of the above mentioned
programs, you will need to research a product that would be best for you
and your business and deploy it on all necessary networks. We cannot
make references as to what products would be best for you for liability
reasons, however, your local computer specialists or internet search
engines can be valuable tools.

CS-Cart · Jul 3, 2009, 05:03

I see, sorry for possible misunderstanding. Did you check with your hosting company regarding this question? They may have such a system if they host ecommerce sites.

topmonkey · Jul 3, 2009, 05:26

Quote:

Originally Posted by CS-Cart

I see, sorry for possible misunderstanding. Did you check with your hosting company regarding this question? They may have such a system if they host ecommerce sites.

No worries. I'm gradually picking up bits of this PCI Compliance as I go along. I guess it might be worth asking - the support people at my hosting company are usually quite helpful and knowledgeable. Thanks.

CS-Cart · Jul 3, 2009, 05:29

Quote:

Originally Posted by topmonkey

No worries. I'm gradually picking up bits of this PCI Compliance as I go along. I guess it might be worth asking - the support people at my hosting company are usually quite helpful and knowledgeable. Thanks.

It's good to hear this. Please, share your results with us, it would be interesting to know.

topmonkey · Jul 3, 2009, 05:38

Quote:

Originally Posted by CS-Cart

It's good to hear this. Please, share your results with us, it would be interesting to know.

Will do.

topmonkey · Jul 3, 2009, 07:38

Quote from my host:

Quote:

A wireless IDS/IPS is usually built into your wireless router and will also
form part of most security programs available for networks and personal
computers. If you have such a program along the lines of Norton Internet
Security or similar then you will be covered.

CS-Cart · Jul 6, 2009, 01:16

Am I correct to assume that you use a dedicated server? If so, I'd suggest passing this question further to your server administrator.

topmonkey · Jul 6, 2009, 10:08

That's irrelevant - the wireless access point is located at the client's home based office. I have now installed Norton for the client so we should be compliant now if my host is right.

Jul 2, 2009, 05:23	#1
topmonkey SitePoint Addict Join Date: Apr 2007 Posts: 204	Client PCI Compliance Hi, I have been asked by a client to help them with becoming PCI compliant. We have everything sorted except one thing - wireless analysis. To become PCI compliant you need to use a 'wireless analyzer' to scan for vulnerabilities every quarter. The only trouble is, I haven't a clue what one of these things looks like, let alone where to get one or how to deploy one (and I have been Googling for hours)! If anyone who has any experience of dealing with PCI Compliance can explain what my client and I need to do for this I would be very grateful. Thanks, TM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Jul 2, 2009, 23:45	#2
webdesignandmore SitePoint Member Join Date: Jul 2009 Posts: 6	Are there any consultants that you can hire to do this for you? This sounds like it might be cheaper. Also, this only applies if your client uses wireless LAN for transmitting cc info. I would take a look at regulations just to make sure you really need it.

Jul 3, 2009, 00:24	#3
CS-Cart SitePoint Zealot Join Date: Jun 2009 Posts: 114	Approved list of scanning vendors can be found here: https://www.pcisecuritystandards.org...sv_report.html Personally, I'd check HackerGuardian as an option, this is a very reputable company.

Jul 3, 2009, 05:03	#5
CS-Cart SitePoint Zealot Join Date: Jun 2009 Posts: 114	I see, sorry for possible misunderstanding. Did you check with your hosting company regarding this question? They may have such a system if they host ecommerce sites.

Jul 6, 2009, 01:16	#10
CS-Cart SitePoint Zealot Join Date: Jun 2009 Posts: 114	Am I correct to assume that you use a dedicated server? If so, I'd suggest passing this question further to your server administrator.

Jul 6, 2009, 10:08	#11
topmonkey SitePoint Addict Join Date: Apr 2007 Posts: 204	That's irrelevant - the wireless access point is located at the client's home based office. I have now installed Norton for the client so we should be compliant now if my host is right.