PCI Requirement 4.1.1 – Ensure Wireless Network Transmitting CHD or Connected to CDE Uses Strong Encryption

by Randy Bartels / August 23rd, 2017

Wireless networks are a part of our everyday technology environment. It’s almost impossible to get away from it, be it your cell phone, laptop, watch, tablet, television…the list goes on and on. Wireless networks are extremely prevalent to our culture. Think about how many restaurants you go to that have table side payment. How does your payment get processed? Over a wireless network. That’s where PCI Requirement 4.1.1 comes into play. It states, “Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission.”

Wireless networks that use strong cryptography make it less likely for an attacker to eavesdrop on the network’s communications or to compromise the network. Industry best practices must be in use to ensure that appropriate encryption methodology and strength are implemented. An example of weak encryption would be WEP; this doesn’t mean you can’t use WEP within your environment, but you cannot use it to protect information in transit.

The best way to prepare for a PCI Requirement 4.1.1 assessment is to review all documentation related to wireless networks. Documentation should identify all wireless networks where cardholder data is transmitted, received, or connected in some way. Then compare your documentation to your system and verify that industry best practices for cryptography and strong cryptography is used in those places.

Wireless is part of our everyday technology environment. It’s almost impossible to get away from it, be it your cell phone or laptop or any other numerous devices. The Internet of things is rather prevalent. You go to a restaurant nowadays and they have the tableside payments that are transmitting cardholder data over wireless.

As part of this, we want to make sure that if you’re transmitting cardholder data over wireless technologies, that you’re using an industry-accepted protocol for doing so. To give an example, WEP has been deprecated for some time. That doesn’t mean you can’t use WEP within your environment; it’s that you cannot use WEP as a means for protecting that information over the transmission of that medium. So, when we look at 4.1.1, make sure that you’re using strong cryptography for protecting that data whenever it’s transmitted over an open or public network, specifically to this requirement, with wireless.