| |
PCI DSS 1.2 Requirements |
No Known WLAN AP in CDE |
Known WLAN AP in CDE |
| Minimum Scanning Requirements
|
Section 11.1 Conduct wireless scans at least quarterly at all locations
Organizations must scan ALL their sites at least quarterly to detect Rogue or unauthorized wireless devices that may be attached to the CDE. Sampling of few sites for scanning is not allowed. Scanning only the CDE wired network does not serve the purpose as it cannot detect Rogue wireless devices.
Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless IPS (WIPS) for scanning is a much more convenient and comprehensive alternative. A WIPS gives you:
- 24x7 monitoring of wireless devices
- Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG)
- Instant detection of Rogue wireless APs
- Automatic blocking of Rogue APs and other wireless threats or hack attacks
- Location tracking capability to physically hunt down Rogue and other threat posing wireless devices
|
 |
|
| Section 11.4 Monitor wireless intrusion alerts
A WIPS should be configured to send automatic threat alerts and instantly notify concerned personnel about potential risks and attacks.
|
|
|
| Section 12.9 Eliminate wireless threats
A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the-middle attack, denial-of-service attack, and ad-hoc networks.
|
|
|
|
| Secure Wireless Deployment Requirements
|
Section 2.1.1 Change default settings
Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings.
Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization.
Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors.
Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details.
|
N/A |
|
|
Section 4.1.1 Use strong encryption and authentication
Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters.
Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP-encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control.
|
N/A |
|
|
Section 9.1.3 Restrict physical access
Physical access to authorized wireless APs and clients should be restricted to minimize tampering of these devices and exposure of cardholder data. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices.
|
N/A |
|
|
Section 10.5.4 Maintain logs of wireless activity
Archive logs of wireless activity over one year on a central server where the logs cannot be tampered and have past 90 days logs available for review immediately.
|
N/A |
|
| Section 10.6 Review wireless access logs daily
Review wireless access logs daily to check for any anomalous activity and follow up any exceptions. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary.
|
N/A |
|
| Section 12.3 Develop and enforce wireless usage policies
In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access.
|
N/A |
|
