I have been preparing for the PCI DSS 2.0 draft released on October 28th, 2010 which is to be ratified in January of 2011. PCI DSS 2.0 clarifies requirements in many areas.
The draft 2.0 released yesterday has shown that there is little change in wireless recommendations around detecting the presence of rogue wireless access points. Actually the draft adds a little more room for interpretation.
In PCI DSS Draft v2.0, requirement 11.1 states that to be compliant organizations are required to “Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly Basis.” With a note that states, “Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.
As we examine this statement it seems to lend itself to more than one option. Perform a quarterly scan with a handheld scanner, rely on physically inspecting connections or implement an always-on wireless IDS/IPS solution. I vote for the latter. Why?