Out-Law / Your Daily Need-To-Know

Companies have just months to replace old wireless payments systems

07 Jan 2010, 11:18 am

Retailers and caterers have just six months to replace old systems if they are to continue to use wireless card payment technology. The industry payment security body might revoke the right to process cards for companies that do not upgrade their technology.

The Payment Card Industry (PCI)'s Data Security Standard (DSS) is the set of technical requirements which must be met by retailers who want to process cards.

It was changed in 2008 to ban the use of Wired Equivalent Privacy (WEP) technology in the transmission of card details from mobile card terminals to the main part of a system.

From last year companies were barred from installing new systems that use WEP and from June of this year companies will be stopped from using WEP-based systems at all. The PCI's Security Standards Council (SSC) said that any company still using WEP after that date would not be compliant with PCI DSS. Non-compliant companies can have their right to process cards revoked.

The SSC has also published guidelines on how best to operate wireless payment networks. The guidelines are designed to ensure that cardholder details are properly protected by companies using payment systems.

They are designed to help to secure transactions using the kind of wireless card pay points that are increasingly used in cafes and restaurants to allow people to use payment cards without walking to a till.

The guidance says that companies must maintain an up to date inventory of hardware; must scan networks to look for unauthorised points of access; and must ensure that the wireless devices are physically secure and not stolen or accessed by other people.

The guidance says that companies must periodically change the passwords and settings of devices and networks; that they must use strong encryption to send messages through the air; and that their use of wireless technologies must be subject to a usage policy.

Wireless systems were hacked in 2008 when 40 million people's credit and payment card details were stolen from retailer TJX and eight other retailers. Hackers scanned wireless networks and were able to capture card numbers and PIN security codes.

Payment security expert William Malcolm of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies using payment systems will have to take heed of updated policies from the PCI Security Standards Council.

"PCI compliance is an increasingly important area for those organisations which process cardholder details," he said. "As more organisations use wireless solutions the need to maintain robust security to protect against identity theft becomes all the greater."

"Organisations will want to study the new guidance carefully to see if it strikes the right balance between maintaining security and allowing operational flexibility," he said.