User's Guide
Reports
243
3. Requirement 4.1.1: Verify that wireless networks transmitting cardholder data use appropriate
encryption methods. Reliance on WEP (Wired Equivalent Privacy) for cardholder data protection
should be avoided. This report provides a list of wireless access points and clients communicating
using open or insecure encryption methods.
4. Requirement 6.2: Establishing a process to identify newly discovered vulnerabilities and
updating configuration standards to address the new vulnerability issues. Generate and review
contents of this report periodically so that newly discovered vulnerabilities can be identified and
acted upon.
5. Requirement 10.5.4: Copy logs for wireless networks onto a centralized internal log server or
media that is difficult to alter. The report generation engine maintains logs of all wireless activity for
archival purposes.
6. Requirement 11.1: Use a wireless analyzer at least quarterly to identify all wireless devices in
use. This report provides a list of all wireless devices in use. In addition, scanners continuously
monitor all wireless devices in use and automatically update the list of wireless devices maintained
at the server.
7. Requirement 11.2: Run network vulnerability scans quarterly and after any significant change in
the network. This report provides a list of wireless vulnerabilities discovered during the report
generation interval. This report can be generated on demand or at scheduled intervals.
8. Requirement 11.4: Use of network intrusion detection and prevention system to monitor
network traffic and alert personnel of suspected compromises. Intrusions can also happen through
wireless. Wireless scanners continuously monitor, log and (optionally) alert and block wireless
intrusion attempts.
9. Requirement 12.10: Implement an incident response plan. Be prepared to respond immediately
to a system breach (including those happening through wireless back doors). Wireless scanners
monitor airwaves 24/7 and instantly detect any unauthorized wireless activity. Incident response
can be done either manually or automatically using wireless scanners.
10. Requirement 2.1.1 (Potential Violations): Change vendor-supplied defaults for wireless
equipment. For wireless equipment,default password, SSID, WEP key and security settings should
be changed. WPA or WPA2 should be used wherever possible. This report provides a list of
wireless access points using default SSID or security configurations.
11. Requirement 4.1.1 (Potential Violations): Verify that wireless networks transmitting
cardholder data use appropriate encryption methods. Reliance on WEP (Wired Equivalent Privacy)
for cardholder data protection should be avoided. This report provides a list of wireless access
points and clients communicating using open or insecure encryption methods.
12. Requirement 11.1 (Potential Violations): Use a wireless analyzer at least quarterly to identify
all wireless devices in use. This report provides a list of all wireless devices in use. In addition,
scanners continuously monitor all wireless devices in use and automatically update the list of
wireless devices maintained at the server.
Note: For all potential violation sections, It is not confirmed whether or not these wireless security
incidents occurred inside a cardholder data environment (CDE) network. Hence, the incidents have
been classified as a Potential Violation of the PCI DSS.
x PCI DSS 2.0 Wireless Compliance Report - Payment Card Industry Data Security Standard
(PCI DSS) Version 2.0 published in October 2010 defined recommended security controls for
protecting cardholder data. PCI DSS was defined by a consortium of credit card companies,
including VISA and Master Card. The requirements of the PCI standard apply to all members,
merchants, and service providers that store, process and transmit card holder data.
The following sections from PCI DSS, Version 2.0 are relevant from the perspective of protecting
cardholder data from unauthorized wireless access. This report is intended to be simply an aide to
review PCI DSS 2.0 compliance of WLAN deployments. It is not meant to automatically fulfill PCI
DSS 2.0 requirements related to your WLAN network. Consult a PCI Qualified Security Auditor
(QSA) for obtaining compliance certification.
1. Requirement 1.2: Deny traffic from 'untrusted' networks and hosts, except for protocols
necessary in the cardholder's data environment. This report provides a list of rogue or