Ensure compliance with PCI DSS wireless requirements using AirTight Cloud Services (formerly SpectraGuard Online) that automates wireless scanning and makes PCI wireless compliance effortless. And with a pay-as-you-go subscription model, it removes capital outlay and makes wireless PCI compliance affordable to organizations of all sizes.
Service
Capabilities
PCI Wireless Compliance
Automated wireless compliance scanning
PCI report delivered monthly
Real time 24x7 intrusion and rogue detection alerts via email
Archiving of alerts for 1 year
The PCI Security Standards Council Wireless Special Interest Group published the PCI DSS Wireless Guideline on July 16, 2009 that clarifies the wireless security requirements. To comply with PCI DSS all organizations regardless of whether or not they have deployed a wireless LAN(WLAN) need to pay attention to securing their Cardholder Data Environment (CDE) from wireless threats. All locations must be scanned to eliminate wireless vulnerabilities.
Select your cardholder data environment (CDE) below to see which PCI DSS wireless requirements apply to your organization and which AirTight Cloud service is best for you.
Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices.
Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you:
- 24x7 monitoring of wireless devices
- Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG)
- Instant detection of Rogue wireless APs
- Automatic blocking of Rogue APs and other wireless threats or hack attacks
- Location tracking capability to physically hunt down Rogue and other threat posing wireless devices
Archive logs of wireless activity over one year on a central server where the logs cannot be tampered and have past 90 days logs available for review immediately.
Review wireless access logs daily to check for any anomalous activity and follow up any exceptions. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary.
Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings.
Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization.
Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors.
Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details.
Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters.
Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP-encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control.
In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access.
A WIPS can help you automatically respond to incidents by blocking
wireless threats such as Rogue APs before any damage is done. Any Rogue
AP connected to a wired network inside the CDE should be physically
removed. The location tracking capability of a WIPS can help locate the
Rogue AP. A WIPS can also proactively protect against other common
wireless threats such as man-in-the-middle attack, denial-of-service
attack, and ad-hoc networks.
Physical access to authorized wireless APs and clients should be restricted to minimize tampering of these devices and exposure of cardholder data. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices.
Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices.
Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you:
- 24x7 monitoring of wireless devices
- Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG)
- Instant detection of Rogue wireless APs
- Automatic blocking of Rogue APs and other wireless threats or hack attacks
- Location tracking capability to physically hunt down Rogue and other threat posing wireless devices
A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the-middle attack, denial-of-service attack, and ad-hoc networks.
Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices.
Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you:
- 24x7 monitoring of wireless devices
- Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG)
- Instant detection of Rogue wireless APs
- Automatic blocking of Rogue APs and other wireless threats or hack attacks
- Location tracking capability to physically hunt down Rogue and other threat posing wireless devices
A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the-middle attack, denial-of-service attack, and ad-hoc networks.
AirTight's PCI scanning and remediation services offer a radically less expensive alternative to any competitive solution available today. For pricing or to know more, please fill in the form on the right or call our sales team at +1 (877) 424 7844
Incur no capital expenditures
Pay for only the wireless security features required
Affordable, predictable total cost of ownership
No hardware or software obsolescence
Upgrade to full wireless IPS capabilities - no additional deployment costs
