PCI Requirement 2.1.1 – Change all Wireless Vendor Defaults

by Randy Bartels / June 30th, 2017

Hardening Your Wireless Network

Similar to the parent requirement, PCI Requirement 2.1, PCI Requirement 2.1.1 focuses on changing vendor-supplied defaults. PCI Requirement 2.1.1, though, relates to all wireless environments. If you’re using a wireless network or device that’s within scope of the PCI DSS, you must ensure that you change all wireless vendor defaults upon installation. You must also ensure that all security-related functions and features are enabled and that you are using secure protocols, ports, and services as part of the authentication. PCI Requirement 2.1.1 requires, “For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community settings.” Complying with PCI Requirement 2.1.1 by changing all wireless vendor defaults is an important part of hardening your wireless network.

Interviewing the responsible personnel and examining supporting policies, procedures, and documentation is the best way to test that your organization has appropriately changed all wireless vendor defaults. The PCI DSS states that your organization needs to verify that:

• Encryption keys are changed from default at installation
• Encryption keys are changed any time anyone with knowledge of the keys leaves the company or changes the position
• Default SNMP community strings are required to be changed upon installation
• Default passwords on access points are required to be changed upon installation
• Default SNMP community strings are not used
• Default passwords on access points are not used
• Firmware for wireless devices are updated to support secure protocols

The intent behind PCI Requirement 1.2.2 is to prevent hackers from maliciously entering your organization’s wireless environment. The PCI DSS states, “If wireless networks are not implemented with sufficient security configurations (including changing default settings), wireless sniffers can eavesdrop on the traffic, easily capture data and passwords, and easily enter and attack the network.” If your organization does not follow the guidance under PCI Requirement 2.1.1, you are leaving your wireless network open to attackers.

Your assessor should ask for all of the configurations that are associated with the wireless devices and work with you to understand how the infrastructure is organized and how the wireless network and devices play into your environment.

Requirement 2.1.1 within the PCI DSS requires that you change all of the vendor-defaults for the wireless. When you look at the parent requirement, PCI Requirement 2.1, it says that we need to change all of the vendor-defaults, and wireless is no exception to this. If you’re using wireless, and it’s within scope of the PCI DSS, we need to make sure that all of those vendor-defaults have been changed. Secondary to that, we need to make sure that all security-related function and features are enabled and that you’re using secure protocols, ports, and services as part of the authentication. So once again, if you have wireless in scope, you need to change all of those defaults as well.

Your assessor for this particular test should ask for all of the configs that are associated with the wireless devices and, as part of that, work with you to understand how the infrastructure’s laid out, how the wireless plays into your environment, and help identify how to be in compliance with this requirement.