In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys.
WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several years that it is relatively easy to break into a WEP-secured wireless network. For that reason, as discussed further below, industry standards as well as regulators require that WPA (instead of WEP) be used to secure wireless networks that are used to transmit sensitive information such as credit card numbers. Nonetheless, many companies are still using WEP.
Earlier this month, the PCI Council (the custodian of the payment card industry’s data security standards) released its “Information Supplement: PCI DSS Wireless Guideline” which reiterates the PCI Data Security Standards’ requirement that wireless networks associated with payment card environments must implement WPA on legacy wireless implementations by June 30, 2010. (New wireless applications have been required to implement WPA since March 31, 2009.) Complying with the PCI Data Security Standards is contractually required of entities that store, process or transmit payment card data.
Driving this point home is a recent settlement between TJX and 41 state attorneys general arising from the massive credit card data breach suffered by TJX in late 2006. Pursuant to the settlement, TJX is required to implement WPA (or equivalent) security on its wireless systems. TJX’s use of WEP security on its instore wireless networks was allegedly in part to blame for the security breach that compromised tens of millions of payment cards.