We supply and support a number of mobile devices running a retail application which pair with a PIN pad /reader using Bluetooth (cable replacement)

The PIN never leaves the PIN pad but the PAN and other in scoper data is returned to our terminal over the Bluetooth link. The pairing uses a 8 byte passkey (which could be extended to 16 bytes) and devices are not discoverable.

PCI-DSS doesn't really address Bluetooth connectivity so I wondered what the current thinking / best practice is with regards to securing this link?

In the UK we have APACS (http://www.apacs.org.uk/) which in their Standard 70 document has some best practice recommendations (that I can post), but ultimately it is PCI-DSS that will dictate the additional steps required to secure this link.

Any thoughts?

Phil

I would rely on the APACS document for the moment as it's the best, best practices document I've seen to date.

The problem with these wireless technologies is that they are not totally as hidden as most people think since the emit radio waves in the public domain and those waves can be detected by the right hardware. What you have on your side for the time being is the fact that the hardware and software required to exploit a 'hidden' wireless device is still out of the league of your typical attacker. However, I can tell you that certain covert organizations have developed the necessary hardware and software to compromise any wireless devices. And it is only a matter of time before this technology also gets to the general public via attackers researching this area or the leaking of the solutions from these covert organizations.

That said, the only alternative you have to securing these connections is the use of encrypted communications. While that's likely implementable on devices that use 802.11, it may not be implementable on Bluetooth devices because of their limited processing power. And even with 802.11, I can tell you that while iPod Touches and iPhones can handle 128-bit SSL connections, they don't do it all that well and they eat a lot of battery power to do it.

I would recommend reading these NIST publications:

http://csrc.nist.gov/publications/drafts/800-121/Draft-SP800-121.pdf
Bluetooth security draft standard

http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
Wireless security standard (includes bluetooth)

And googling for 'bluesniper' (which is a bluetooth sniffer that can be assembled by anyone, using a yaggi antenna). This link appears like a reasonable source, if a little old:

http://searchmobilecomputing.techtarget.com/news/article/0,289142,sid40_gci1179892,00.html