PCI Security Council Clarifies Wireless Security Requirements for PCI DSS Compliance
Any organization handling payment card data should pay immediate attention to the PCI DSS Wireless Guideline published by the PCI Security Standards Council Wireless Special Interest Group last week.
Wireless Threats That Can Compromise PCI DSS Compliance
The key highlights are:
- ALL organizations, including those that do not have a wireless LAN or have one but do not use it for processing cardholder data, must scan ALL sites at least quarterly for wireless vulnerabilities.
- Why scan? Make sure there aren’t any Rogue APs (unauthorized or unmanaged APs attached to your network) inside your cardholder data environment (CDE) and that there aren’t any unsecured (accidental or intentional) wireless connections between your CDE and external wireless devices.
- If any threats are detected they must be eliminated immediately.
- A wireless analyzer may be okay for scanning small environments, but it is tedious and costly for larger environments and organizations with multiple sites.
- Large organizations should scan and secure all their locations using a wireless intrusion prevention system aka wireless IPS aka WIPS. A WIPS can significantly reduce the pain by automating wireless scanning and proactive threat remediation.
To learn more about PCI DSS Wireless Compliance:
Download white paper: Don’t Let Wireless Detour Your PCI Compliance
Watch this space for our webinar series on PCI Compliance and Wireless
