The credit-card industry has finally revised rules to make WEP persona non grata: The PCI Security Standards Council was founded by Amex, Discover, JCB, Visa, and MasterCard, and each organization agreed to adopt the standards that the group decides on. The latest update of the Data Security Standard (DSS), drafted early this year, was adopted and released yesterday, and profoundly alters Wi-Fi security practices for any company that accepts any of major credit card. A summary can be downloaded under PCI DSS Summary of Changes.
The new rules prohibit the use of the highly broken WEP (Wired Equivalent Privacy) standard as part of any credit-card processing--such as from a store terminal to a server--after 30-June-2010, and prohibit any new system from being installed that uses WEP after 31-March-2009. In practice, WEP has remained in relatively wide use among retailers as of last year because many individual and chain stores continue to use ancient point-of-sale gear. The supplier side changed slowly, too, with WEP still included as a standard feature long after WPA was widely available starting in 2004 in business and consumer Wi-Fi gear and computers. The use of WEP is what led to the TJ Maxx parent company network invasion.
The DSS sets both security and audit standards: Merchants must conform to the document's guidelines, and if examined by their merchant card issuer, must be found to conform. If not, they could have the ability to process cards turned off, which makes it hard to be a retailer of any kind.
An analysis of the changes in SearchSecurity states that 802.1X as being required, but I believe that may have been a typo. The SearchSecurity article notes that "802.1x" and "802.11x" are cited as examples of industry best practices in the summary document. However, in both the summary and full version of the DSS, I see "802.11i" listed, which is a generic way to refer to WPA2 with TKIP and AES keys.
This would seem to indicate that the DSS would allow the use of WPA and WPA2 Personal, as is noted in Section 2.1.1. That same section, however, recommends the use of AES, which is only available in WPA2 compliant hardware. There doesn't seem to be any mention of 802.1X or WPA/WPA2 Enterprise elsewhere in the document or its summary.