PCI DSS and Regulatory Compliance Blog

PCI DSS Wireless FAQ

March 15th, 2008 Posted in PCI DSS, Wireless

wireless.jpgMany people think that Wireless only applies to three requirements within the PCI DSS (1.3.8, 2.1.1, 4.1.1) and that it only applies to companies that have implemented wireless, but this is not the case.

The latest Aegenis whitepaper / FAQ on wireless within PCI DSS clarifies much of the confusion.  The FAQ also raises some important points for companies that do not have wireless, but need to adhere to requirement 11.1.b.

This was made available in the latest Aegis newsletter.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 6 Responses to “PCI DSS Wireless FAQ”

  2. By Maxim Emm on Mar 15, 2008

    There is logical mistake both in PCI DSS standard 4.1.1 and PCI DSS wireless FAQ:
    If WEP used in-scope of PCI DSS standard (and wireless FAQ) requires entity to use one of the following methods of additional encryption layer: WPA|WPA2, VPN (IPSEC or something . else) or TLS|SSL.
    It is impossible technically to use both WEP and WPA simultaneously.

    So it should be defined that entities may use WPA|WPA2 OR WEP+VPN OR WEP+SSL|TLS.

    Mike, is it possible to update at least Wireless FAQ?

  3. By Michael Dahn on Mar 15, 2008

    Maxim, it’s always good to hear from you! The Council knows this and will correct the language in the next release of the standard later this year.

    Until then, read our FAQ for the “intent” behind the requirements. On page 7 of the FAQ we address this issue you described.

  4. By Rich on Apr 16, 2008

    Here’s a quote from the auditing procedures which seems to be at odds with the paper.

    “If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless local area network (LAN) is connected to or part of the cardholder environment (for example, not clearly separated by a firewall), the Requirements and Testing Procedures for wireless environments apply and must be performed as well.”

    To me, this does not seem to require that wireless scanning is performed if wlan is not used.

  5. By Michael Dahn on Apr 16, 2008

    You are correct, but here’s the rub. You need to first confirm that you do not have a wireless network connected to your wired network. How do you confirm this to be the case?

    Well, you could simply review your corporate policy that states wireless technologies are not to be used. But how do you KNOW this policy is not being ignored? You scan for rogue access points, that’s how.

  6. By Suleymanovic on Sep 2, 2008

    Hi Michael,

    Are point-to-point (E.g. from the rooftop of one building to another) wireless ethernet bridges considered as “wireless connections”?

    I have a case where the entity transmits cardholder information from one location to another through a wireless LAN bridge. However, wireless bridge is not an access point and users can not connect to this device directly.

    Bridge is transmitting signals with an encrypted protocol at the network layer but PAN is not rendered at the application layer.

    What are the consequences?

    Cheers,

  7. By Michael Dahn on Sep 5, 2008

    You need to protect the data in transit over public networks. However you do that is up to you. One option is to encrypt the cardholder data as it traverses the wireless bridge, that way you don’t need to worry about the wireless aspect as much.

    For example, you can encrypt the cardholder data via an application or point-to-point IPSec connection. There are many ways and other options available.

    If you have questions, a great place for them is the SPSP PCI Answers Forum:
    http://www.paymentsecuritypros.com/en/forums/

Post a Comment