1

The PCI-DSS requirements define scope in terms of the CDE and systems connected to it. The requirements that specifically deal with physical security (9.x) are phrased in terms of facilities that house CDE systems (and can reasonably be interpreted to extend to facilities that house systems connected by network to the CDE).

However, requirement 11.1, which requires scanning for wireless access points is phrased in absolute terms with no reference to the CDE:

Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

Is it reasonable to assume that such WiFi scans only need to be done at company facilities that have some connection to the CDE? That seems to match the intent of the requirement, though interpreted broadly it could apply to any facility.

Scott Buchanan
  • 113
  • 3
  • Yes, wifi testing is in the context of clarifying scope, so if there are other network protections that ensure a facility can not be used to reach a CDE, then an AP at that facility will not change scope. – Jonah Benton Sep 02 '16 at 03:57

1 Answers1

0

I agree with Jonah B but I would make sure that there were no devices within the facility that either have the ability to administer any devices in the CDE (authentiation servers) or have access to those devices (jump boxes).

If the provisions for satisfying Req. 11.1 elsewhere are not going to apply to a facility, then all of the devices within that facility have to be out of scope.

We're looking for rogue APs. When is that ever not a good idea? If I have no data flows there that affect storage, processing, or trasmission, you're good - the devices are out of scope. I'm curious why rogue APs would be tolerated, but you're good.

Bill Montgomery
  • 16
  • 3
  • You need to tolerate rogue APs because any mobile phone that provides a WiFi hotspot or tethering within range of your detection equipment is technically a potential rogue AP. Of course those things come and go as often the people who own mobile phones do, so simply detecting them doesn't do much good; but that's not how the requirement is written, is it? – John Deters Nov 28 '16 at 20:30