PCI Council : Wireless Security Guides for Payment Cards

There are few news articles today that reference this article. - That talks about the PCI Council “Publishing” a Wireless Security Guide for Payment Cards Update July 17/2009 - The Guide is now listed on the PCI Co Website and direct link is here. From the Article these appears to be the relevant things from the Guidelines:

  • The guidelines requires “a firewall that demarcates the edge of the organization’s CDE - cardholder data environment
  • To combat the problem of the rogue access point, businesses will need to use a wireless analyzer or preventative measures such as a wireless intrusion detection/prevention system (IDS/IDP) regularly
  • The council is advising large organizations to set up automated scanning using a centrally managed wireless IDS/IPS system.
  • The guidelines suggest quarterly scans each year to detect rogue wireless devices that could be connected to the CDE at any location and have an incident-response plan to deal with them.
  • To isolate wireless networks that don’t transmit, store or process cardholder data, a firewall must be used, and it has to perform the functions of filtering packets based on the 802.11 protocol; performing stateful inspection of connections; and monitoring and logging traffic allowed and denied by the firewall according to PCI DSS rule 10. The firewall logs would have to be monitored daily and the firewall rules verified once every six months.
  • The wireless guideline also says “relying on a virtual LAN (VLAN) based on segmentation is not sufficient.”
  • For “in-scope wireless networks,” physical security should apply, with options that include mounting wireless access points high up on a ceiling and disabling the console interface and factory rest options by using a tamper-proof chassis.
  • Change the default settings of the access points in terms of default administrative passwords, encryption settings, reset function. Disable SNMP access to remote access points if possible. Do not advertise organization names in the SSID broadcast.
  • Use of AES encryption is recommended for WLAN networks. Specifically, information flowing through certain network segments, including secure wireless devices that connect to the private WLAN through the access points, must be encrypted.
  • Wireless usage policies should be established for “explicit management approval to use wireless networks in the CDE.” Usage policies require labeling of wireless devices with owner, contact information and purpose.


Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now