Hi Team,
Got a question for the WiFi & PCI DSS Compliance gurus out there. I have outside vendors coming in for various community-wide events at my church. They want to run their square-esque devices on our guest WiFi network. While the guest network is isolated from the main org network, and devices on the guest network are isolated from each other, all devices (on the Guest WiFI) share the same VLAN. My understanding is that the network configuration is not PCI DSS compliant and consequently, the only credit card machines Bethel uses as an organization itself have a separate cellular data connection unique to each device.
What is my PCI DSS liability for outside vendors and their credit card machines though? For all practical purposes, I can’t stop them from using the guest Wifi. While it is technically their choice as to how to run their credit card machines, it’s our event, our building, and our network. How would the credit card companies view a situation like this in case of a breach?
– Edited to clarify that all devices on the Guest WiFI share the same VLAN. The main network is on separate VLAN(s).
Cellular data is encrypted over the air unique to every device, which is a preventative measure to prevent man-in-the-middle attackers from eavesdropping. The only way to reproduce that on ANY WiFi is to have a separate encrypted VPN connection between the device and the remote endpoint. If the payment device vendor is providing WiFi enabled devices, they MUST provide unique secure VPN connection between each payment terminal and their payment processing system to provide any kind of guarantee of security.
However, the question you are asking is a legal, not a technical one. I would suggest you bounce this to your legal advisors. However from a technical compliance point of view, you cannot be held responsible for someone else’s action or inaction or their misuse of your infrastructure against your advice. Again, this is a legal question - speak to a lawyer.
Hi Daniel!
This is probably a question best asked to your merchant account, who requires the PCI compliance. Russ’ response is accurate… it’s your merchant provider who needs to make that determination.
Hoping that helps,
Nick
You should have zero PCI Compliance liability for an outside vendor using your public wifi. You have no agreement with their merchant vendor. That’s between them and their vendor.
The vendors are responsible for their own PCI Compliance. Square, etc.
perform their own connection security (TLS with key pinning, etc.).
Also, if you have WPA enabled, traffic is separately encrypted per
endpoint over the air but a huge class of layer 2 vulnerabilities still
exist based on your network configuration.
If people start being liable for their public wifi networks, that sets a
bad precedent and probably signals the beginning of the end of them.
I can’t comment for regulations in the US, but in the UK & EU there have been legal cases about liability for misuse or inappropriate use of public WiFi services. You can find some info in the following links:
Given the similarity of the US & UK legal systems, I expect a similar approach to responsibility and liability will be taken when interpreting the relevant laws.