Security For Your Peripheral Devices

In addition to maintaining security for your applications through updates and monitoring, you should ensure the security of your peripheral devices. The following are guidelines to help with this task.

PCI-Compliant Wireless and Bluetooth Settings

The wireless communication channel — either Wi-FI or Bluetooth — should be secured using strong cryptography.

Strong Cryptography

Use cryptography that's based on industry-tested algorithms, strong key lengths (at least 112 bits), and good key management practices. Cryptography helps protect data and includes both encryption (which you can reverse) and hashing (which you can't, since it's one way). Some examples of industry-tested and accepted standards and algorithms for minimum encryption strength include AES (128 bits and higher), TDES (minimum triple-length keys), RSA (2048 bits and higher), ECC (160 bits and higher), and ElGamal (2048 bits and higher). See NIST Special Publication 800-57 Part 1 (http://csrc.nist.gov/publications/) for more guidance on cryptographic key strengths and algorithms.

SCIS is compatible with various wireless technologies, and the wireless networking device(s) chosen can vary. Always follow your wireless vendor's security guidance, and make sure you confirm the following steps wherever possible, as required by PCI DSS 3.2.1 (requirements 1.2.3, 2.1.1, 4.1.1, and 11.1):

  • 1.2.3: You must install perimeter firewalls between any wireless networks and systems that store cardholder data. These firewalls should block or control any traffic from the wireless network into the cardholder data environment, unless it's needed for business..

  • 2.1.1: You can't do the tasks below in SCIS, but you can do them on devices that work with SCIS. Follow your vendor or manufacturer's advice to change wireless defaults as described in these five points:

    1. Change encryption keys from the default when you install the device, and anytime someone with access to the keys leaves the company or changes roles.

    2. Change the default passwords and passphrases on access points.

    3. Default passwords and passphrases on access points must be changed.

    4. Firmware on wireless devices must be updated to support strong encryption for authentication and transmission over wireless networks.

    5. Other security-related wireless vendor defaults, if applicable, must be

      • 4.1.1: Use industry best practices, like IEEE 802.11i, to set up strong encryption for authentication and sending cardholder data..

      • 11.1: Involves detecting and identifying wireless access points, specifically 802.11 devices. You need to check for and identify wireless access points at least every quarter. This applies to all locations, even if you don't use wireless tech there, since the goal is to find both authorized and unauthorized wireless access points.

Note:

The use of WEP as a security control was prohibited as of June 30, 2010.

Include Use of Secure Protocols

SCIS doesn't require any services and protocols that are not secured. The only required protocols are HTTPS and TLS 1.2.

Physical Security

Include the following guidelines when ensuring the physical security of your peripheral devices.

  • Protect the mobile device from unauthorized attachments: If an entry device, such as a card reader, is attached to the mobile device—whether the connection is physical or wireless—the device needs to identify itself uniquely to the mobile payment-acceptance application. This identification ensures that the correct entry device is paired to the correct mobile device.

  • Maintain a device inventory: Track all devices used for payment transaction processing with their serial #, hardware #, and model #. You should have a process to detect and report if a mobile device is lost or stolen.

  • Prevent unauthorized logical device access: Protect mobile devices from unauthorized logical-device access by using a lock screen with a password or PIN. Store devices in locked cabinets at the end of a business day or shift.

Maintain an Information Security Program

Besides the security tips above, you need a thorough approach to keep your payment application environment secure and protect your organization and cardholder data.

Related Topics

General Notices