What is the PCI Data Security Standard?
The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard and was published in March 2022. PCI DSS v3.2.1 will remain active for two years after v4.0 is published. This provides organizations time to become familiar with the new version, and plan for and implement the changes needed.
PCI DSS and Wireless
If wireless technology is used to store, process, or transmit account data (for example, wireless point-of-sale devices), or if a wireless local area network (WLAN) is part of or connected to the cardholder data environment (CDE), the PCI DSS requirements and testing procedures for securing wireless environments apply and must be performed.
Rogue wireless detection must be performed per PCI DSS Requirement 11.1 (PCI DSS v3.2.1) and 11.2.1 (PCI DSS v4.0) even when wireless is not used within the CDE and the entity has a policy that prohibits the use of wireless technology within its environment. This is because of the ease with which a wireless access point can be attached to a network, the difficulty in detecting its presence, and the increased risk presented by unauthorized wireless devices. Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only for non-sensitive data transmission.
PCI DSS Requirement 11.1 / 11.2.1 Compliance
There are several processes organizations can use to comply with PCI DSS requirement 11.1 / 11.2.1, but most businesses use a WiFi scanning tool. Other possible methods of testing for rogue access points include physical component inspections or wireless intrusion detection systems (IDS).
Document Wireless Devices
It’s difficult to determine which wireless devices you must disable if you don’t have an accurate list of them. That’s why the PCI Council requires you to scan all card data environment locations for known wireless access devices and maintain an up-to-date inventory. If you’re a small ecommerce provider and all your systems fit into a single rack in your data center, then this requirement should be pretty easy and quick. But if you’re a widespread organization, you may need more time to create a list of all wireless access points and note their business justification based on the network diagram or some other form of documentation."
Wireless Scanning Tools
A wireless scanner is an important tool for complying with the PCI DSS. A wireless scanning tool will identify rogue Wi-Fi networks and help to protect your infrastructure and systems against wireless network attacks.
Where to Scan for Wireless Access Point and Rogue Access Points
In order to ensure that rogue devices don't appear in any part of your environment, you must remember to scan all the locations where cardholder data might be stored, processed or transmitted. In accordance with PCI DSS requirements, this means implementing a wireless IDS/IPS in these locations or scanning them regularly.
Make sure you are vigilant and consistent when scanning, so that you don't overlook anything. If a scan identifies a rogue access point it may have been an accident or there could be some nefarious activity going on. We recommend you look at your documentation to determine if the rogue detection is really false (i.e. an authorized user set up their own access point) and then if it is not immediately remediated go back and re-scan the environment as soon as possible given staff limitations and time constraints
Remediate Rogue Access Points
Don’t ignore the rogue threat. If your scan did find a legitimate rogue wireless access point, “companies should immediately remediate the rogue threat in accordance with PCI DSS requirement 12.9 and rescan the environment at the earliest possible opportunity.”
Maintain a Regular Scan Schedule
Because of compliance with PCI DSS Requirement 11.1, companies often only conduct rogue access point scans quarterly or at even longer intervals. However, it’s better to scan for rogue APs on a more frequent basis because the sooner you know about APs in your network, the sooner you can secure them.
Locating Rogue Access Points with WiFi Scanner for Windows