Archive for the ‘PCI’ Tag

Xirrus is First Wireless Product for PCI Compliance Certified by VeriSign

My employer, Xirrus, had a recent press release that I thought was of value to my readers.   While somewhat of a shameless plug, it is something that I am extremely excited about!  We are the first (and only WiFi vendor to date) whose product has been certified by VeriSign for operation in a PCI network.  Maybe its the former IT auditor in me (I worked several years at Protiviti and am still an active member of ISACA), but this is fantastic news. Below is the press release:

Xirrus, Inc., the Wi-Fi “Power-Play” that delivers the most wireless coverage, bandwidth, and throughput in the industry, announces VeriSign assessment of the new features that enforce PCI-compliant configurations for the Xirrus Wi-Fi Array product line.

Payment Card Industry (PCI) security standards are worldwide technical and operational requirements that were created to help organizations that process card payments prevent fraud, hacking, and other various security vulnerabilities and threats. All members of the payment card industry, including financial institutions, credit card companies, merchants (retailers, hotels, etc.), and service companies must comply with these standards if they want to accept credit cards.

“To maintain a secure network and comply with the PCI standards, companies must ensure their Wi-Fi networks are secure and automatically protect both their companies’ and their customers’ information,” said Kurt Sauter, Director of Corporate Initiatives. “The new Xirrus PCI audit mode, available in all Wi-Fi Arrays, ensures product configuration changes are compliant with PCI standards, disallows changes that would result in a non-PCI-compliant configuration, and sends notifications that identify any product that does not meet the new requirements.”

New PCI-compliant implementations that use Wi-Fi are prohibited from using WEP starting March 31, 2009 and current wireless users are required to implement strong encryption such as 802.11i after June 30, 2010. The new features are available beginning in Xirrus ArrayOS software release 3.5 and include additional security features for ensuring the utmost in wireless security including:

  • Integrated and dedicated Wi-Fi Threat Sensor for continuous monitoring of the air
  • Integrated rules-based stateful firewall
  • Reprogrammable FPGA-based encryption engines
  • Integrated Spectrum Analyzer for DoS attacks and RF analysis
  • Advanced RADIUS/802.1x user and administrator authentication
  • Captive Web Portals for guest user authentication and control
  • Penetration-tested software and hardware platform
  • FIPS 140-2 Government security certification

“Xirrus is the first Wi-Fi vendor to take their products through VeriSign’s rigorous Security Certification Methodology,” said Katie Jenkins, Senior Consulting Manager responsible for VeriSign’s Security Certification Program. “Our program confirms that Xirrus has demonstrated that it has taken reasonable and appropriate steps to identify and manage information security risks and utilize PCI information security best practices for the evaluated Xirrus Wi-Fi Array products.”


Sam’s Club RFID Fines

Beyond WiFi, one of my interests lies in RFID, another wireless technology.  I ran across this interesting story at RFID Update.

Nearly a year ago, Sam’s Club sent some of their suppliers a letter ( dated January 7th, 2008 ) requiring RFID tagging of shipments to the DeSoto, Texas distribution center by January 31st, 2008. In the letter, Sam Club outlined fines of $2 to $3 per each non-tagged pallet.

Additionally, Sam’s Club is requiring tagging at the case level to all distribution centers by October 31, 2009 and at the item level by October 31, 2010

Have you heard of a company that received a fine after last year’s deadline? Is this a program that is “all bark, and no bite”?

Is Wal-Mart trying to pass along the additional cost of handling non RFID tagged goods? It seems that it would be equally effective for Wal-Mart to negotiate different purchase prices with suppliers who do not implement RFID tagging. I would be interested to hear Wal-Mart’s reasoning behind the fines in lieu of their other options. After all, what happens to suppliers who chose not to pay fines?

This story is interesting to me from the stand point that it seems to further the precedence for one business to fine another, rather than fines being levied by government or other regulatory bodies. Did this trend start with the Payment Card Industry? The PCI framework allows banks to fine institutions for non-compliance with their Data Security Standard, which is meant to protect card holder data.

What do you think about the situation?