Testing Wireless Access Points

Exploitation of wireless technology, according to the PCI DSS, is one of the most common ways attackers attempt to gain unauthorized access to networks and cardholder data. This is due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices. This is why PCI Requirement 11.1 states, “Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.” It’s not entirely about testing for the presence of wireless access points that you do have; it’s more about testing for unauthorized wireless access points. Even if your organization prohibits the use of wireless technology, you must still perform the testing required by PCI Requirement 11.1.

To assess compliance with PCI Requirement 11.1, an assessor will want to see documentation of your quarterly testing of wireless access points, and your list of wireless devices. PCI Requirement 11.1.1 requires that organizations maintain an inventory of authorized wireless access points with a documented business justification. The PCI DSS guidance explains, “Knowing which wireless devices are authorized can help administrators quickly identify non-authorized wireless devices, and responding to the identification of unauthorized wireless access points helps to proactively minimize the exposure of CDE to malicious individuals.”

PCI Requirement 11.1 requires that as an organization, you are going to be testing for the presence of any unauthorized wireless in your environment. From an assessment perspective, many organizations tell their assessors, “No, I don’t have any wireless.” It’s not about testing for the presence of the wireless that you do have, it’s about testing for the presence of wireless that somebody might have installed in your environment from an unauthorized perspective. From an assessment perspective, then, we ask that you provide us your quarterly results because you are required to perform quarterly testing. If you do have any wireless within your environment, you need to maintain a list of what the wireless access points are that you would authorize from your environment.

Regular Testing

PCI Requirement 11 is about managing the security of your environment. It states, “Regularly test security systems and processes.” From everything we’ve learned in the PCI DSS so far, we know that it’s required us to:

  • Harden our networks
  • Harden our systems
  • Protect data in storage
  • Protect data in transmission
  • Protect systems against malware
  • Ensure that system and applications are developed securely
  • Restrict access to cardholder data based on business need to know
  • Implement identity management procedures
  • Protect cardholder data from physical harm
  • Track and monitor all access to resources and cardholder data

Now, in PCI Requirement 11, we want to regularly test security systems and processes to ensure that everything is working as it’s supposed to. This testing should be of wireless access points, incident response procedures, vulnerability scans, penetration testing, intrusion-detection, change-detection, and policies and procedures. Regular testing ensures that new vulnerabilities are caught by the right people and measures are taken to protect against new threats. Recognizing that you have an ever-changing environment will help you see the value in PCI Requirement 11.

PCI Requirement 11 is about managing the security of your environment. If you think about this from the way that the PCI DSS flows, PCI Requirement 1 is about hardened networks; PCI Requirement 2 is that we’ve hardened our systems; PCI Requirement 3 is that we’ve protected our data in storage; and PCI Requirement 4 is that we’ve protected the data in transmission. For example, we’re applying antivirus to protect from malware, we’re patching our servers, we have change control, we’re developing software securely, we have authorization and authentication, we have good passwords, we’re logging everything, and we have physical controls around our environment. When we get to PCI Requirement 11, it is about testing the efficacy of our overall security program and making sure that it is working as we have defined it.