In what commentators describe as a "partial crack" of the Wi-Fi Protected Access (WPA) encryption standard, researchers have come up with a way to both read WPA-secured messages and transmit bogus messages. WPA has been rolled out as the replacement for the insecure Wired Equivalent Privacy (WEP), including in the Payment Card Industry (PCI) Data Security Standard (DSS). Specifically, Section 2.1.1 of the recently released v1.2 of the DSS calls out WPA as an example of an acceptable mechanism for implementing strong encryption over wireless networks.
Although the WPA crack apparently does not expose the actual encryption keys, the fact that a vulnerability has been found reinforces the need for a comprehensive and pragmatic risk-based approach to security. The PCI DSS recognizes this in the context of wireless security where it states that "a company should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only for non-sensitive data transmission."