scope:

Wireless technologies have rapidly emerged as significant components of networks. The ease and speed of deployment, as well as inexpensive transmission rates, makes them ideal for deploying new systems. Whereas installations used to be delayed several months because of complicated landline connections, a wireless deployment can happen the same day an ATM or POS terminal is ordered. Greater wireless coverage, greater reliability, higher transfer speeds, and improved equipment quality has only increased the likelihood that ATMs with wireless are a preferred option. Data classification and risk assessments still need to be performed, however, to determine asset value and the risks introduced by transmission over wireless networks. The question is still how data is being secured. Numerous control methods must be used to protect sensitive data on wireless networks such as encrypting communication prior to transmission and decrypting it afterwards.

Wireless ATM and POS security requirements within in this standard are based on common "wired-devices" industry requirements, however there are no such X9 or ISO standards. Within the scope of this Standard the following topics are addressed:

▪ Both end-to-end (E2E) and point-to-point (P2P) encryption to protect transactional and operational information from unauthorized entities.

▪ Patches and modification management to protect systems from vulnerabilities.

▪ Configuration management to protect wireless systems from weaknesses.

▪ Physical and logical security controls to protect wireless access.

▪ Network segmentation to protect against attacks originating from wired and wireless environments.

▪ Monitoring controls to detect threats from higher risk environments.

Wireless technology, while potentially reducing the cost or complexity of a financial system implementation, may introduce additional fraud risks or enable other criminal activities. Use of appropriately secure wireless technology, methods and controls can help identify and mitigate these risks.

This Standard is applicable to radio frequency wireless technologies including IEEE 802.11, Global System for Mobile Communications (GSM), Code-Division Multiple Access (CDMA) General Packet Radio Services (GPRS) and Satellite. However non-radio frequency wireless technologies, such as infrared and lasers, are not in scope.

Note that data classification and risk assessments, regardless of whether data transmission is over wired or wireless environments, are part of general security policy and best practices. The standard X9.112 Wireless Management and Security has several parts addressing various areas.

▪ Part 1 of X9.112 provides an overview of wireless radio frequency (RF) technology risks and general requirements applicable to all wireless implementations for the financial services industry.

▪ Part 2 of X9.112 provides an interpretation of Part 1 technology and general requirements for automated teller machines (ATM) and point of sale (POS) terminals environments.

▪ Part 3 of X9.112 provides an interpretation of Part 1 technology and general requirements for mobile environments.

Other parts of this Standard may provide specific applications of wireless technology and associated risks, as well as technologies, methods and controls that mitigate those risks.