6.2 For payment applications using wireless technology, payment application must facilitate use of encrypted transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN or SSL/TLS.
Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN.
[ul]
[li] If WEP is used, do the following:[/li][li]Use with a minimum 104-bit encryption key and 24 bit-initialization value.[/li][li]Use ONLY in conjunction with secure encrypted transmission technology (for example, IPSEC, VPN or SSL/TLS).[/li][li]Rotate shared WEP keys quarterly (or automatically if the technology permits)[/li][li]Rotate shared WEP keys whenever there are changes in personnel with access to keys.[/li][li]Restrict access based on media access code (MAC) address.PCI Data Security Standard Requirement 4.1.1[/li][/ul]
Testing Procedures:
6.2.a For payment applications developed by the vendor using wireless technology, and other wireless applications bundled with the vendor application, verify that appropriate encryption methodologies are included or available, in accordance with PCI DSS Requirement 4.1.1.
6.2.b If WEP is used, verify it is used in accordance with in PCI DSS Requirement 4.1.1
6.2.c If customers could implement the payment application into a wireless environment, examine PA-DSS Implementation Guide prepared by vendor to verify customers and resellers/integrators are instructed on PCI DSS-compliant wireless settings, per PCI DSS Requirements 1.3.8, 2.1.1 and 4.1.1.