Payment Card Industry Data Security Standards (PCI DSS) is a set of information security standards published by the Payment Card Industry Security Standards Council to help organizations that process credit card transactions to protect their customers' account data and make sure that their networks are secure from intruders.
PCI DSS 4.0
PCI DSS 4.0 is the latest version of the payment card industry standard. It incorporates PCI DSS 3.2, which offers both security and performance improvements to previous versions. The latest version also features new requirements that extend beyond simple compliance with Visa MasterCard and Discover Financial Services to include ATM, mobile POS and advanced multi-factor authentication strategies that can help protect physical access to computers and networks.
PCI DSS and Wireless
Most relevant WiFi / wireless related sections from PCI DSS 4.0 are below.
If wireless technology is used to store, process, or transmit account data (for example, wireless point-of-sale devices), or if a wireless local area network (WLAN) is part of or connected to the CDE, the PCI DSS requirements and testing procedures for securing wireless environments apply and must be performed.
Rogue wireless detection must be performed per PCI DSS Requirement 11.2.1 even when wireless is not used within the CDE and the entity has a policy that prohibits the use of wireless technology within its environment. This is because of the ease with which a wireless access point can be attached to a network, the difficulty in detecting its presence, and the increased risk presented by unauthorized wireless devices.
Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only for non-sensitive data transmission.
11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
11.2.1 Authorized and unauthorized wireless access points are managed as follows:
• The presence of wireless (Wi-Fi) access points is tested for,
• All authorized and unauthorized wireless access points are detected and identified,
• Testing, detection, and identification occurs at least once every three months.
• If automated monitoring is used, personnel are notified via generated alerts.
Purpose: Implementation and/or exploitation of wireless technology within a network are common paths for malicious users to gain unauthorized access to the network and cardholder data.
Unauthorized wireless devices could be hidden within or attached to a computer or other system component. These devices could also be attached directly to a network port, to a network device such as a switch or router, or inserted as a wireless interface card inside a system component. If a wireless device or network is installed without a company’s knowledge, it can allow an attacker to enter the network easily and “invisibly.”
Detecting and removing such unauthorized access points reduces the duration and likelihood of such devices being leveraged for an attack.
Good Practice: The size and complexity of an environment will dictate the appropriate tools and processes to be used to provide sufficient assurance that a rogue wireless access point has not been installed in the environment. For example, performing a detailed physical inspection of a single stand-alone retail kiosk in a shopping mall, where all communication components are contained within tamper-resistant and tamper-evident casings, may be sufficient to provide assurance that a rogue wireless access point has not been attached or installed. However, in an environment with multiple nodes (such as in a large retail store, call center, server room or data center), detailed physical inspection can be difficult. In this case, multiple methods may be combined, such as performing physical system inspections in conjunction with the results of a wireless analyzer.
11.2.2 An inventory of authorized wireless access points is maintained, including a documented business justification.
Purpose: An inventory of authorized wireless access points can help administrators quickly respond when unauthorized wireless access points are detected. This helps to proactively minimize the exposure of CDE to malicious individuals.
Good Practice: If using a wireless scanner, it is equally important to have a defined list of known access points which, while not attached to the company’s network, will usually be detected during a scan. These non-company devices are often found in multi-tenant buildings or businesses located near one another. However, it is important to verify that these devices are not connected to the entity’s network port or through another network-connected device and given an SSID resembling a nearby business. Scan results should note such devices and how it was determined that these devices could be “ignored.” In addition, detection of any unauthorized wireless access points that are determined to be a threat to the CDE should be managed following the entity’s incident response plan per Requirement 12.10.1.
Full PCI DSS 4.0 can be downloaded from here.
Wireless Scanner / WiFi Analyzer
The PCI DSS 11.2 compliance program requires that Wi-Fi networks are periodically scanned for rogue access points. A rogue access point is an unauthorized wireless network. WiF Scanner for Windows enables you to discover 2.4 GHz, 5 GHz, and newest 6 GHz / 6E access points and determine if any security vulnerabilities exist in your network.