While I have typically seen merchants and service providers opt to segment their wireless network from the cardholder data environment to keep it out of PCI compliance scope entirely, sometimes, this is not feasible. Here is a quick checklist of what is needed when implementing a wireless network as part of your cardholder data environment (CDE):
PCI Requirement 1.1.2
Current network diagram with all connections to cardholder data, including any wireless networks
- Pretty self-explanatory; But don’t forget to keep your network diagrams current and review them on an annual basis
PCI Requirement 1.2.3
Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
- This is an interesting requirement; a perimeter firewall is required between a wireless network and systems that STORE cardholder data. If you do not store cardholder data (i.e. you have implemented data tokenization) or you only transmit or process cardholder data, then this requirement would not apply.
PCI Requirement 2.1.1
For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.
- Change default encryption keys and make sure they are changed anytime anyone with knowledge of the keys leaves the company or changes positions – this latter part is typically forgotten
- Change default SNMP community strings on wireless devices
- Change default passwords/passphrases on access points
- Update firmware on wireless devices to support strong encryption for authentication and transmission over wireless networks
- Change other security-related wireless vendor defaults, if applicable
PCI Requirement 4.1.1
Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
- The use of WEP as a security control was prohibited as of 30 June 2010.
PCI Requirement 9.1.3
Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
- For merchants, don’t forget this also applies to wireless access points deployed at your store/restaurant locations
PCI Requirement 10.5.4
Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media.
Wireless access points are considered “external-facing”, so the logs from your wireless devices need to be sent to a protected internal system (i.e. your centralized log management platform).
PCI Requirement 11.1
Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
- This becomes even more critical to implement if wireless has been implemented within your cardholder data environment.
- For merchants – Don’t forget…wireless scanning is a requirement not just at your data center but also at your store locations as well. Not the easiest task, but it is still required.
Shelina Samji, PCI QSA
Senior Consultant, PCI Compliance Services
