PCI DSS Compliance FAQs


 

General

What is PCI DSS 1.2 and how is it different from PCI DSS 1.1?

PCI DSS 1.2 is the latest version of the PCI Data Security Standard. PCI DSS 1.2, released in October 2008, clarified and enhanced several of the requirements from PCI DSS 1.1, especially for wireless security.

What is the difference between Compliance and Security?

In the context of PCI, compliance is adherence by all organizations processing payment card data to the minimum security requirements defined in the PCI DSS. Compliance standards such as PCI DSS set the benchmark usually for a specific industry vertical, but are not necessarily comprehensive when it comes to network and data security. On the other hand, security is the level of protection against risk. Meeting compliance requirements should not be mistaken as a certification of ultimate security.

What are the roles of QSAs and ASVs?

Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. Qualified Security Assessor (QSA) companies are organizations that have been qualified by the PCI Security Standards Council (SSC) to validate an entity’s adherence to the PCI DSS.  Many QSA companies are also ASVs, but not all ASVs are QSAs. PCI compliance for Level 1 merchants must be validated by a QSA. PCI compliance for Level 2, 3 and 4 merchants requires validation using a self-assessment questionnaire.

What is the difference between Compliance and Validation?

All Organizations which handle payment card data must comply with the PCI DSS. Organizations must stay compliant at all times.  Validation is the demonstration of compliance usually to a QSA or ASV. Validation of compliance with the PCI DSS is on demand and the required documentation and level of compliance depends on the level of the merchant in terms of volume of payment card data processed annually.

Who validates compliance with PCI DSS?

For Level 1 merchants, compliance with wireless PCI requirements is validated by a QSA. For Level 2, 3 and 4 merchants, compliance is validated through a self-assessment questionnaire that is submitted with proof to corroborate the answers in the questionnaire.

What are compensating controls?

If a merchant is unable to comply with a specific PCI DSS requirement due to legitimate technical or documented business reasons, compensating controls may be used to sufficiently mitigate the risk and meet the intent of the original requirement.

Minimum Wireless Scanning Requirements

How frequently do we need to scan for PCI compliance?

PCI DSS requires you to conduct wireless scans at least quarterly.

Can we choose a few of our sites for PCI wireless scanning?

No. PCI DSS requires that merchants conduct wireless scans across ALL their sites.

Conducting wireless scans at our multiple sites seems tedious and costly. We do not have the IT resources. Is there a way out?

Yes. AirTight Networks’ SpectraGuard Online provides modular PCI scanning services making compliance with PCI wireless requirements easy and low cost with pricing as low as $20 per month for a single location.  With four different service modules, SpectraGuard Online not only meets the need of large organizations who want full WIPS capabilities but prefer to use a SaaS model with no up front capital expense, but also small- and medium-sized enterprises who need a low cost solution with no overhead costs for meeting PCI compliance.

Can a network scan conducted using a wired network monitoring tool serve the purpose of requirement 11.1?

A wired monitoring tool cannot detect wireless vulnerabilities and threats. The PCI DSS recommends the use of dedicated wireless scanning tools such as a wireless intrusion detection prevention system (WIPS) to conduct wireless scans.

We have not installed any wireless. Do we still need to worry about PCI DSS wireless security requirements?

Yes. Even if you do not have an official wireless LAN installed, unknown and unmanaged wireless devices (e.g., Rogue APs) can insert security holes into your network and compromise payment cardholder data. Regardless of whether or not you have a wireless network, compliance with PCI DSS section11.1 requires you to conduct wireless scans at all your sites.

What is a Rogue AP and what does it have to do with PCI DSS compliance?

A Rogue AP is an unauthorized wireless AP attached to your network. Such unknown and unmanaged APs can compromise the security of your cardholder data environment and expose payment card data. Hence, PCI DSS requires you to regularly scan for rogue APs and remove them.

We have segmented our wireless network out of PCI scope. Do we still need to conduct wireless scans?

Yes. Even if you have segmented your wireless network (e.g., using a firewall or separate VLANs) out of PCI scope, Rogue wireless devices could still get attached directly to your CDE. So you still need to conduct wireless scans to detect for their presence.

Can I use a wireless analyzer to conduct wireless scans?

Yes, you can use a wireless analyzer to meet the checkmark PCI compliance of requirement 11.1. Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope (in terms of ability to discover Rogue APs and relevance over a longer time duration), cannot scale for large premises and is costly if multiple sites have to be scanned.
Using a wireless intrusion prevention system (WIPS) for scanning is a much more convenient and comprehensive alternative and is in fact recommended by the PCI SSC Wireless SIG. A WIPS gives you:

  • 24x7 monitoring of wireless devices
  • Ability to maintain an up-to-date wireless device inventory
  • Instant detection of Rogue wireless APs
  • Automatic blocking of Rogue APs and other wireless threats or hack attacks
  • Location tracking capability to physically hunt down Rogue and other threat posing wireless devices

On conducting a wireless scan, if we find one or more Rogue APs, are we supposed to remediate the threat to comply with PCI DSS?

Yes, PCI DSS requires that you immediately track the location of the detected Rogue APs and physically remove them. A WIPS can automate blocking and location tracking of Rogue APs making it easy to eliminate the risk.

Secure Wireless Deployment Requirements

Has PCI DSS specified a date by which we need to upgrade or replace WEP with a stronger encryption such as WPA/WPA2?

PCI DSS 1.2 prohibits use of WEP by June 30, 2010.

We have many legacy wireless systems that use the WEP encryption and cannot be upgraded to WPA/WPA2? Are there any compensating controls that allow me to use WEP and be PCI compliant?

A WIPS that can proactively protect you against all types of WEP cracking attacks could serve as a compensating control in this case.

We are using WPA2 and 802.1x based authentication. Do we still need to conduct wireless scans?

Yes. While using WPA2 and 802.1x on your authorized wireless LAN is a good practice, it is not sufficient to secure your CDE from wireless threats such as Rogue APs, man-in-the-middle attacks, ad-hoc networks, and denial-of-service attacks. PCI DSS requires the use of WIPS to comprehensively secure your CDE against all types of wireless threats.

What can be done to restrict physical access to authorized wireless devices?

Physical access to authorized wireless APs and clients should be restricted to minimize tampering of these devices and exposure of cardholder data.  A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices.

What type of wireless information should be logged to comply with PCI DSS?

Organizations should log wireless access information that may be useful later for forensic analysis. The logged information can include details about your wireless devices and their activity such as clients connecting to access points, their security and other wireless settings, their location.

How long should we maintain the logs?

Archive logs of wireless activity over one year on a central server where the logs cannot be tampered and have past 90 days logs available for review immediately. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary.

Does PCI require regular review of wireless access logs?

Yes, PCI DSS compliance requires you to review wireless access logs daily to check for any anomalous activity and follow up on any exceptions.

Does PCI DSS allow wireless access points to broadcast SSID?

The latest PCI DSS 1.2 allows wireless access points to broadcast SSID. In fact disabling SSID broadcasting does not provide adequate security and hence that requirement was dropped in the latest PCI standard.

The PCI DSS requires changing default settings on the wireless access points. Are there any best practices or recommended settings?

Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings. 

Replace the default SSID on your wireless APs with a unique name that does not reveal the identity or other private information about your organization. Turn off default services such as Web-based remote management, zero configuration, and SNMP based monitoring that you may not be using. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors.

Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption (e.g., WPA/WPA2) and authentication (802.1x based).

cars