A chain of independent 7-Eleven convenience stores in central Oklahoma has completed a highly distributed Wi-Fi rollout to support a new inventory management system. Starting the wireless project from scratch has allowed the company to fully embrace wireless Payment Card Industry Data Security Standard (PCI DSS) mandates.

The 102-store retailer - owned and managed separately from the nationwide 7-Eleven chain - recently deployed a Retalix inventory control system to automatically track and reorder products for each store. To support it, 7-Eleven installed Aerohive 802.11a/b/g wireless LANs and LXE MX7 barcode-scanning handsets in February, says Mike Mattice, senior systems programmer and integrator at the company.

In-store personnel scan inventory with the Wi-Fi Protected Access (WPA) 2-capable LXE handsets, which forward the data over 802.11b or 802.11g to an Aerohive HiveAP (usually one per store). HiveAPs also contain controller functions, alleviating dependence on separate controllers, a cost and management consideration for highly distributed enterprises such as retailers and financial institutions. The HiveAPs communicate with a Retalix host in the company’s data center using a VPN service from the local cable company, Mattice says.

Start-up Aerohive’s HiveAPs are representative of newer WLAN architectures, which are swinging back from being centralized to at least somewhat distributed to match traffic patterns and ease bottlenecks. HiveAPs, for one, operate much like a mesh router network, albeit over the airwaves instead of copper wiring. They use special control protocols to discover one another, exchange state and best-path information and locally forward traffic. Central IT staff, however, handle AP provisioning, configuration and policy-setting at a management console in the company’s data center.

A stateful packet-inspection firewall embedded in the HiveAP limits 7-Eleven employees to accessing just the Retalix application server, which resides behind its own data center firewall, as well, explains Mattice. Firewall segregation is one of the PCI DSS mandates.

PCI DSS also requires encrypting credit cardholder data in wireless networks using WPA2, IPSec, or SSL. Though 7-Eleven isn’t wirelessly transmitting credit card information at this juncture, it is using the WPA2 capabilities in the Aerohive infrastructure equipment and LXE handsets to protect data.

Joanie Wexler is an independent networking technology writer/editor in Silicon Valley.