1: You should scan everywhere a wireless client in-scope may reach, but also everywhere near all locations that are in-scope. Outdoor scans is not neccessary if you don't also have wifi clients operating outside, like in-scope workers being on the outside locations with their laptops and surfing. But a scan along the inside of the perimeter of the PCI DSS zone is a must, but also somewhere in the middle regions so you don't miss out a AP that transmit weakly in the middle.
This effectively means you also need to, if you have remote workers:
- Implement a mandatory VPN or encryption, that cannot be turned off by the remote workers, that will take the airspace out of scope. Note that its not enough to just enforce VPN/encryption while working with card data, as a malicious individual might insert malware while the computer is off-VPN. This method will mean captive portals will not work. (WLAN encryption does not count)
- OR, Programmatically disable the wifi card on remote workers using some device management, while they are off-site.
Else, every location that the device visits, effectively becomes in-scope. Good luck enforcing PCI DSS for a hotel lobby or hotel room.
However, self-service locations as you say, does not neccessary need to be scanned. If you make the solution P2PE (Point-to-Point Encryption) and UPT (Unattended payment terminal) approved, and ensure the personell at the self service location does NOT have access to encryption keys, you have taken the local end of the self-service location off-scope, and no Wifi scan is neccessary. However, the actual P2PE/UPT terminal is still in scope.
You need to think "What happens if someone puts a rogue access point here - eg a malicious access point, that either distributes malware, or steals data, and tricks a machine or human to connect to it, perhaps by having the same SSID". Same with a malicious individual that inserts a access point in the in-scope network.
2: A PC with decent wifi will work, but you also need tools that allow you to record or monitor the MAC adress of the AP, and also watch all access points reachable (eg multiple access point with same SSID should not be consolidated into one). You also need a decent antenna, as a built-in antenna in a laptop might be not enough to detect APs far enough away.
You need to prepare for the worst, like a worker putting a decent antenna and accesses a rogue access point.
The solution must also be able to record P2P access points, so a Android mobile is not sufficent, as viewing P2P access points on a android requires root.
And to elaborate your question/answer too:
You also need an action program, IF a rogue or unauthorized AP is found. For a unauthorized AP, its easy as just tracking it up and then disconnecting it from your network. (unauthorized AP = a AP that is connected to a network without authorization from the network admin, regardless of SSID)
A rogue access point (which is defined by a access point having the same SSID or MAC as an "authorized" access point, but may be located anywhere) is a bit more difficult to deal with. As a rogue access point might not be in your network/facilities at all, it might be at the neighbor's facilities, you may need to resort to legal actions to get rid of that. You could begin tracking it, and when its rough location is located, send a cease and desist letter to the manager of that building, and even send FCC or Police on that location.
Naming a AP same as a someone involved in payment cards, in an effort to get those to connect to that, its a clear computer misuse violation and could be classified as fraud too.
Another solution may be spoofing deauth packets for that rogue access point (some rogue AP scanners can do this automatically after detecting a rogue one) to prevent a authorized in-scope client from connecting to the rogue one, but this may have its own legal complications, as you are interfering with equipment you don't own or have authorization to operate.
