So, version 1.2 of the PCI DSS standard has finally been released. No big jump to a version 2.0 just yet, so we weren’t expecting too many alterations. Wikipedia states that “v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats.”

I would like to address their addressing of one particular evolving risk, namely their “enforcement” of moving from WEP to WPA – Possibly in response to recent incidents.

The changes were nicely detailed at pcianswers:

“Requirement 4.1.1 - Removes discussion of WEP vs WPA and simply states that cardholder data must be security encrypted over wireless networks, and to “implement strong encryption for authentication and transmission.” This is the first reference to ‘authentication’ implying that not only must the data be secure, but the authentication to that network must also be protected.”

At last we have the enforcement of WPA. This has been coming for a long time. (Mind you, not even WPA is safe these days.

“New implementations of WEP are not allowed after March 31, 2009”

I can live with that. That’s a good deadline.

“Current implementations must discontinue use of WEP after June 30, 2010”

Wait, what? The first time I read this, I nearly WEPt (Pardon my pun, you can blame ITBusinessEdge).

After months of deliberating, that is the best they could come up with? I can understand that there are a lot of parties to come to an agreement with but someone has to put their foot down here! Couldn’t they have said something like “All Level 1 & 2 merchants must discontinue use of WEP after March 31, 2009”? Is that too unreasonable?

Current implementations of WEP have more than 600 days to change to WPA. Do you know how long it can take to crack WEP? Less than 600 seconds*. Millions upon millions of card numbers will be floating across wireless networks “protected” by WEP. Of course, an attacker won’t always have to wait for the card numbers. Once on the network, the attacker may be able to see the backend database if the network has not been properly segmented.

If cracking WEP were new, the deadline could be acceptable. But the risk of using WEP has existed from the very start of the PCI DSS (and even before). Using WEP is just asking for trouble. There isn’t even any real skill involved in cracking it! The tools are freely available and can easily be understood by following any of the guides on the Internet.

I could rant on about PCI DSS but I will spare you my ramblings. It suffices to say that I am not impressed with this “deadline” – It is simply not good enough.

*Can be less, can be more. For illustrative purposes 600 seconds was a nice number.