PA-DSS requirement 6.3

In order for wireless technology to be used securely, it must first be implemented in a secure manner. Please refer to PA-DSS requirement 6.1 to learn how to securely implement wireless technology.

Change all default settings upon installation

As soon as new equipment is purchased, the first thing that should be done after taking the equipment out of its box is to change its default settings such as usernames and passwords, SSID’s, wireless encryption keys and SNMP community strings.

This needs to be done before the equipment is installed in or around the card data environment in order to prevent malicious users from using known factory default configurations to gain unauthorized access to the card data environment.

Change credentials, keys and passwords frequently

Change wireless encryption keys, passwords, passphrases and SNMP strings as soon as someone with knowledge of the keys/passwords leaves the company or changes positions.

Also, if there is any doubt or possibility that unauthorized individuals may somehow have obtained any knowledge of keys, passwords, passphrases or strings, have all of them changed immediately. These credentials should only be given to people who have a legitimate need to know.

Install firewalls between wireless networks and card data environment

In addition to perimeter firewalls which protect the card data environment from the “outside world”, additional firewalls need to be installed between wireless networks and the card data environment.

For example, if wireless devices are being used as point of sales with the Maitre’D system, the wireless network that supports these devices need to be segregated with a firewall in order to protect the Maitre’D Back-Office server which contains cardholder data.

For example, if wireless devices are being used as point of sales with the Maitre’D system, the wireless network that supports these devices need to be segregated with a firewall in order to protect the Maitre’D Back-Office server which contains cardholder data.

The firewalls must be configured with a default “Deny All” rule which systematically blocks all network traffic, and then specific rules need to be created so that only the traffic necessary for business purposes is allowed through the firewall.

Additionally, MAC Address filtering should be employed to that only authorized wireless devices are allowed to communicate over the wireless network used by point of sale devices.

Use industry best practices

Please refer to PA-DSS requirement 6.1 above to setup and use the wireless environment in a secure manner. This section was created by following guidelines of IEEE 802.11i-2004. Also, some recommendations found in requirement 6.1 are based on security threats or weaknesses that were discovered after the release of IEEE 802.11i and therefore meet or surpass this standard.