PCI DSS requirement 11.1 mandates the use of wireless scanners in your cardholder environment on at least a quarterly basis to ensure that rogue wireless networks are not present. The text of the requirement reads “Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.”

There are several possible ways that you can meet this requirement in your organization. Here are a few suggestions:

    • Automate the scans if possible. You can avoid the legwork of walking around your organization with a wireless analyzer by deploying automated rogue access point detection mechanisms. Wireless intrusion prevention systems, such as AirMinder, AirDefense, Airtight and Nexus Hornet all provide this functionality.
    • Simplify your scanning. If you have a small physical environment, nobody says that your quarterly scan needs to be complex. Why not download a free open source tool like Kismet, install it on a laptop, and walk around looking for rogue access points? You might be able to fulfill the requirements of PCI DSS section 11.1 in just a few minutes with no financial investment!
    • Consider implementing a compensating control if this is difficult. I know of one organization that occupies a large geographic areas, making a quarterly wireless assessment quite burdensome. They worked with their merchant bank to implement a compensating control that relies upon the strict physical access controls to their cardholder data network to ensure that rogue access point are not added. The bank allowed them to use this control in lieu of the wireless scans.

Whatever you decide to do to satisfy requirement 11.1, be sure to document your work. You should maintain a log that documents the following information, at a minimum:

  • Date of the assessment
  • Individual conducting the assessment
  • Tool(s) used
  • Rogue access points detected (if any)
  • Action taken to remediate any rogue access points

Don’t worry too much about this requirement. While it may sound intimidating and expensive at first, there are very straightforward ways to satisfy its requirements. Just be sure to maintain your logs so that you can prove your diligence to an auditor!