2) Skimming Cardholder Data
Skimming is the theft of credit card information from observing a legitimate payment transaction. Although there are a number of ways to "skim" credit card information, the process for POSTs is similar to ATM skimming: a thief attaches a third-party card-reading device on the outside or inside of the payment terminal to capture customer's credit card information processed during a payment transaction. Many skimming devices use Bluetooth transmitters to transfer the skimmed information to thieves on demand. Note that Bluetooth devices can communicate from a distance of one meter (class 3) to 100 meters (class 1).
Detecting if cardholder data is being skimmed: Like many Wi-Fi devices, Bluetooth is a networking protocol that operates in the 2.4 GHz band. Although it is difficult for WIDS/WIPS to identify Bluetooth transmissions in the WLAN, its presence creates RF channel noise. By tracking the noise level for RF channels, WIDS/WIPS can identify channels with sustained, high levels of noise. Once identified, vendors can use a Wi-Fi analyzer with a directional antenna to track down the source of the noise and take action.
3) Unauthorized Devices on WLANs
Thieves may also set up their own Wi-Fi POST, masquerading as a vendor's POST, or even masquerade as a store clerk and offer up a point of sale on their own Wi-Fi smartphone. These devices operate as unauthorized or rouge devices on a vendor's WLAN or attempt to set up their own WLAN.
Identifying and protecting WLAN from unauthorized devices: To identify unauthorized and rouge devices, organizations need to be vigilant and monitor the wireless network for unauthorized POSTs, access points, and wireless clients. This is best accomplished with a wireless intrusion prevention system. With a WIPS, organizations can track the security status of every wireless device in the WLAN and see if there are any unauthorized or rogue devices that may put mobile payments at risk.
These systems can also generate alerts when authorized devices deviate from a security policy, e.g., to use encrypted communications. Once unauthorized devices are identified, they can be easily located and removed with location information provided by the system.
How Merchants Can Secure Mobile Payment Cardholder Data
Mobile payments are a cost-effective, convenient payment solution for both consumers and merchants. But if merchants choose to accept payments over Wi-Fi, they need to ensure PCI-DSS compliance or be subject to fines or worse. Investing in a dedicated WIPS that provides comprehensive Wi-Fi protection against the introduction of unauthorized devices and dangerous attacks, as well as spectrum analysis for detection of RF threats, will provide the necessary security to enable adoption of mobile payment technology while meeting PCI DSS requirements to ensure consumers and merchants get the most bang for their buck in mobile payment transactions.
About the author
Milind Bhise has over fifteen years of high tech and networking industry experience. Currently, he is responsible for product management and product marketing of the wireless LAN portfolio at Fluke Networks. The portfolio includes market leading WLAN deployment, design and analysis tools and AirMagnet Enterprise, a scalable WLAN security and performance monitoring solution. He has a Masters in Engineering and a MBA.
1. See PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (October 2010) at p. 5 (https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf, last visited June 10, 2012).
For more articles like this and others related to designing for the embedded Internet, visit Embedded Internet Designline and/or subscribe to the monthly Embedded Internet newsletter (free registration).