What is the PCI Data Security Standard?
The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard and was published in March 2022. PCI DSS v3.2.1 will remain active for two years after v4.0 is published. This provides organizations time to become familiar with the new version, and plan for and implement the changes needed.
Network Segmentation and PCI Compliance
One way that the scope of a PCI audit can be reduced is through network segmentation. Network segmentation, or isolation of the cardholder data environment (CDE), from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a means of reducing the scope and cost of a PCI DSS assessment as well as a means of reducing general risk to the organization.
Non-Segmented WiFi / Wireless LANs
Sometimes segmentation is not possible. The following table lists the PCI requirements that are applicable to wireless networks that are part of the CDE (ie. are not segmented from the CDE and/or are transmitting sensitive cardholder data).
Compare what is possible with your equipment features and configuration to below and assess if your setup can be made compliant if it is not segmented from CDE.
|PCI Requirement||Does equipment have this feature or support this configuration to meet PCI requirement?||Wireless LAN Equipment Features or Configuration|
|1.2.3 Install perimeter firewalls between any wireless networks and the CDE, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the CDE.||
This requirement is considered a best practice even for non-segmented networks to limit traffic from the wireless network into the CDE to only that required for business purposes from authorized users and devices.
If available use WLAN vendor's built-in firewall and policy manager to deny or control any wireless traffic into the local LAN or the Internet.
LAN isolation should be used for guest SSIDs and custom firewall rules should be used for other SSIDs to limit access to the LAN to business-necessary traffic only.
|2.1.1 For wireless environments connected to the CDE or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.||
Enterprise equipment typically does not ship with default keys that need to be changed.
If using consumer equipment, change default keys and consider upgrading to business class / enterprise class WiFi equipment.
|4.1.1 Ensure wireless networks transmitting cardholder data or connected to the CDE, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.||All WiFi equipment supports the strongest encryption standards, including WPA2-PSK, WPA2-Enterprise (802.11i) with AES encryption, and WPA3 SAE.|
|6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.||Almost all equipment vendors now (consumer, and business grate) can automatically install the latest firmware on APs via the cloud and locally.|
|7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to "deny all" unless specifically allowed.||Use methods to provides full, readonly, and lobby ambassador roles. Limit access to a specific wireless network within an organization.|
|9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.||
Most access points have multiple physical security mechanisms such as padlock, security screw, that restrict physical access and the ability to be placed in plenum or an enclosure to make them more secure.
|10.5.4 Write logs for external facing technologies onto a log server on the internal LAN…verify that logs for external-facing technologies are offloaded or copied onto a secure centralized internal log server media.||Check if your equipment offers a way to store logs in a centralized environment that is backed up.|
|10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers.||Check if your equipment provides centralized monitoring and logging of all wireless access attempts in a detailed event log.|
|11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.||Check if your equipment includes IDS, also known as rogue AP detection, which reduces the need for manual scans.|
|12.3 Develop usage policies for critical employee-facing technologies (for example, remote – access technologies, wireless technologies...) to define proper use of these technologies for all employees and contractors.||Implementer’s responsibility|
|12.9.5 Include alerts from intrusion detection, intrusion-prevention, and file-integrity monitoring systems.||Check if your equipment includes a wireless intrusion detection system that generates automatic alerts to warn of potential security threats.|
WiFi Scanning Tool for PCI Compliance
If your equipment does not offer rogue detection features, automatic alerting, and centralized logging of security events. A good option is a standalone WiFi Scanner and manual WiFi scanning quarterly or more frequently for rogue access points.
How to locate rogue access points using WiFi Scanner for Windows