2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.
2.1.1.a Interview responsible personnel and examine supporting documentation to verify that:
• Encryption keys were changed from default at installation
• Encryption keys are changed anytime anyone with knowledge of the keys leaves the company or changes positions.
2.1.1.b Interview personnel and examine policies and procedures to verify:
• Default SNMP community strings are required to be changed upon installation.
• Default passwords/passphrases on access points are required to be changed upon installation.
2.1.1.c Examine vendor documentation and login to wireless devices, with system administrator help, to verify:
• Default SNMP community strings are not used.
• Default passwords/passphrases on access points are not used.
2.1.1.d Examine vendor documentation and observe wireless configuration settings to verify firmware on wireless devices is updated to support strong encryption for:
• Authentication over wireless networks
• Transmission over wireless networks.
2.1.1.e Examine vendor documentation and observe wireless configuration settings to verify other security- related wireless vendor defaults were changed, if applicable.
If wireless networks are not implemented with sufficient security configurations (including changing default settings), wireless sniffers can eavesdrop on the traffic, easily capture data and passwords, and easily enter and attack the network.
In addition, the key-exchange protocol for older versions of 802.11x encryption (Wired Equivalent Privacy, or WEP) has been broken and can render the encryption useless. Firmware for devices should be updated to support more secure protocols.