PCI Requirement 11.1 – Implement Processes to Test for the Presence of Wireless Access Points, and Detect and Identify All Authorized and Unauthorized Wireless Access Points on a Quarterly Basis

by Sarah Harvey / June 5th, 2018

Testing Wireless Access Points

Exploitation of wireless technology, according to the PCI DSS, is one of the most common ways attackers attempt to gain unauthorized access to networks and cardholder data. This is due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices. This is why PCI Requirement 11.1 states, “Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.” It’s not entirely about testing for the presence of wireless access points that you do have; it’s more about testing for unauthorized wireless access points. Even if your organization prohibits the use of wireless technology, you must still perform the testing required by PCI Requirement 11.1.

To assess compliance with PCI Requirement 11.1, an assessor will want to see documentation of your quarterly testing of wireless access points, and your list of wireless devices. PCI Requirement 11.1.1 requires that organizations maintain an inventory of authorized wireless access points with a documented business justification. The PCI DSS guidance explains, “Knowing which wireless devices are authorized can help administrators quickly identify non-authorized wireless devices, and responding to the identification of unauthorized wireless access points helps to proactively minimize the exposure of CDE to malicious individuals.”

PCI Requirement 11.1 requires that as an organization, you are going to be testing for the presence of any unauthorized wireless in your environment. From an assessment perspective, many organizations tell their assessors, “No, I don’t have any wireless.” It’s not about testing for the presence of the wireless that you do have, it’s about testing for the presence of wireless that somebody might have installed in your environment from an unauthorized perspective. From an assessment perspective, then, we ask that you provide us your quarterly results because you are required to perform quarterly testing. If you do have any wireless within your environment, you need to maintain a list of what the wireless access points are that you would authorize from your environment.