Ensure compliance with PCI DSS wireless requirments using AirTight Networks' automated wireless scanning, audit, and compliance solutions. SpectraGuard® Online automates wireless scanning and requires no IT intervention, making PCI wireless compliance low cost and effortless. SpectraGuard Online is offered as four levels of on-demand services to help you meet the PCI wireless requirements that directly apply to your organizations needs.
Automated wireless scanning for compliance of all locations
Monthly wireless scan report delivered to inbox for all locations
PCI Quarterly Scan + Alerts
Automated wireless compliance scanning
PCI report delivered monthly
Real time 24x7 intrusion and rogue detection alerts via email
Archiving of alerts for 1 year
24x7 Wireless Monitoring Service
24x7 wireless LAN monitoring
Access to wireless IDS console
Real time 24x7 intrusion and rogue detection alerts via email
Customized troubleshooting and unlimited reporting
24x7 Wireless Remediation Service **
Full wireless IPS capabilities in a SaaS model
Monitoring service plus automatic or manual threat prevention
Location tracking to locate and remove rogue APs
Advanced forensics and troubleshooting
Physical inventory and location of all APs
Select your cardholder data environment (CDE) below to see which PCI DSS 1.2 wireless requirements apply to your organization and which SpectraGuard Online service is best for you.
Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices.
Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you:
- 24x7 monitoring of wireless devices
- Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG)
- Instant detection of Rogue wireless APs
- Automatic blocking of Rogue APs and other wireless threats or hack attacks
- Location tracking capability to physically hunt down Rogue and other threat posing wireless devices
Archive logs of wireless activity over one year on a central server where the logs cannot be tampered and have past 90 days logs available for review immediately.
Review wireless access logs daily to check for any anomalous activity and follow up any exceptions. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary.
Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings.
Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization.
Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors.
Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details.
Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters.
Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP-encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control.
In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access.
A WIPS can help you automatically respond to incidents by blocking
wireless threats such as Rogue APs before any damage is done. Any Rogue
AP connected to a wired network inside the CDE should be physically
removed. The location tracking capability of a WIPS can help locate the
Rogue AP. A WIPS can also proactively protect against other common
wireless threats such as man-in-the-middle attack, denial-of-service
attack, and ad-hoc networks.
Physical access to authorized wireless APs and clients should be restricted to minimize tampering of these devices and exposure of cardholder data. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices.
Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices.
Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you:
- 24x7 monitoring of wireless devices
- Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG)
- Instant detection of Rogue wireless APs
- Automatic blocking of Rogue APs and other wireless threats or hack attacks
- Location tracking capability to physically hunt down Rogue and other threat posing wireless devices
A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the-middle attack, denial-of-service attack, and ad-hoc networks.
Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices.
Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you:
- 24x7 monitoring of wireless devices
- Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG)
- Instant detection of Rogue wireless APs
- Automatic blocking of Rogue APs and other wireless threats or hack attacks
- Location tracking capability to physically hunt down Rogue and other threat posing wireless devices
A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the-middle attack, denial-of-service attack, and ad-hoc networks.
AirTight's PCI scanning and remediation services offer a radically less expensive alternative to any competitive solution available today with pricing as low as $20 per month for a single location.
Incur no capital expenditures
Pay for only the wireless security features required
Affordable, predictable total cost of ownership
No hardware or software obsolescence
Upgrade to full wireless IPS capabilities - no additional deployment costs
If you would like to learn more about SpectraGuard Online, please fill in the form below or call AirTight at +1 (877) 424 7844
