Believe it or not, there are two PCI DSS requirements that can never be marked ‘Not Applicable’. According to the PCI SSC, requirements 1.2.3 and 11.1 can never be noted as ‘Not Applicable’.
Requirement 1.2.3 states:
“Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.“
Even if an organization does not have wireless, the PCI SSC has stated that this requirement may never be marked as ‘Not Applicable’. The QSA is required to document the network and describe any wireless the organization has implemented, regardless of whether or not the wireless has any contact with the cardholder data environment.
While this may seem a little over the top, think about why it is included in the PCI DSS. One of the largest breaches that ever occurred was the result of a poorly engineered and operated wireless network. As a result, to prevent future breaches due to wireless networking, the PCI DSS requires that the QSA ensure that any wireless, in or out of scope, is evaluated to determine if it is securely implemented.
When an organization does have wireless networking implemented, the PCI DSS requires that wireless networking to be segregated from the cardholder data environment (CDE) whether the wireless is used to carry cardholder data (CHD) or not. Again, this is in response to the large breach. Wireless is broadcast over public airwaves and an organization cannot be assured that someone is not eavesdropping on that broadcast. However, it is this broadcasting over public airwaves that trip up most organizations. People neglect or forget this fact and do not put in place the appropriate security and controls over wireless networks. As a result, the PCI DSS is trying to ensure that should wireless be compromised, the entire network is not also compromised by default. That then requires that controls such as ACLs and/or firewall rules are put in place to restrict traffic flow between any wireless networks and any other networks.
And even if an organization does not have wireless networking, under this requirement the QSA is required to document what procedures they used to determine that there was no wireless implemented.
As a result, a QSA is not allowed to place a ‘Not Applicable’ for this requirement.
As with requirement 1.2.3, requirement 11.1 was also put in place in response to that large breach as well as a number of other, unrelated breaches. This requirement is also in response to the low cost of wireless networking equipment and the ease with which it can be implemented in a stealthy manner thus providing an attacker with a way into an organization’s network. For reference, requirement 11.1 states:
“Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.”
Whether an organization has wireless networking or not, the PCI DSS requires that the organization periodically assess its wireless networking posture to ensure that either wireless is still not present or that if wireless is used, that only the organization’s wireless is present on their network.
For an organization with only one or a few locations, this requirement is not that onerous. However, for a Wal*Mart or Target with thousands of locations, scanning each of those locations on a quarterly basis is daunting. As a result, you get wireless intrusion solutions such as those from Motorola and AirTight to automatically detect unapproved wireless devices. While these solutions meet the requirements of 11.1, they can be expensive and difficult to implement, monitor and manage. There is the alternative of implementing other controls on the network which can also be used to meet this requirement that I have discussed in another blog entry. However, this compensating control has its drawbacks as well.
As with requirement 1.2.3, no organization can mark requirement 11.1 as ‘Not Applicable’ just because they do not have wireless networking implemented.
At the end of the day, the bottom line here is that all organizations are required to ensure that wireless networking is either not present on their network or, if present, it is only their wireless devices and that those wireless devices are appropriately implemented and secured.
