2.1.1 For wireless environments
connected to the cardholder data
environment or transmitting cardholder
data, change ALL wireless vendor
defaults at installation, including but not
limited to default wireless encryption
keys, passwords, and SNMP
community strings.
2.1.1.a Interview responsible personnel and examine
supporting documentation to verify that:
Encryption keys were changed from default at installation
Encryption keys are changed anytime anyone with
knowledge of the keys leaves the company or changes
positions.
2.1.1.b Interview personnel and examine policies and
procedures to verify:
Default SNMP community strings are required to be
changed upon installation.
Default passwords/phrases on access points are required
to be changed upon installation.
2.1.1.c Examine vendor documentation and login to wireless
devices, with system administrator help, to verify:
Default SNMP community strings are not used.
Default passwords/passphrases on access points are not
used.
2.1.1.d Examine vendor documentation and observe wireless
configuration settings to verify firmware on wireless devices is
updated to support strong encryption for:
Authentication over wireless networks
Transmission over wireless networks.
2.1.1.e Examine vendor documentation and observe wireless
configuration settings to verify other security-related wireless
vendor defaults were changed, if applicable.
If wireless networks are not implemented with
sufficient security configurations (including
changing default settings), wireless sniffers can
eavesdrop on the traffic, easily capture data and
passwords, and easily enter and attack the
network.
In addition, the key-exchange protocol for older
versions of 802.11x encryption (Wired Equivalent
Privacy, or WEP) has been broken and can
render the encryption useless. Firmware for
devices should be updated to support more
secure protocols.