PCI DSS Wireless Analysis and Recommendations, Part 2

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, PCI DSS»


As I said in Part I,   The PCI DSS Wireless Guidance document is filling out a very important need.  Today I will continue analyzing this Wireless Guidance document.  I will number them and ask that you refer to that number in your comments on my suggestions.  Remember – the goal is to help improve the document.


How to Improve on the PCI DSS Wireless Guidelines Document – Part II


A small matter, but (7) the definition of part B.,, whereby a hub switch or other network device …transmits cardholder data is not accurate.  Why don’t we define it, for these purpose, as a non-segmenting network device that can submit and receive data  Would that work better?  Leaving it as is breaks your demaraction example and your "directly" connected assumption.

A bigger problem appears with figure 3:


If you define the firewall as the Demarc point, as done above, and then try including a wireless access point "F" inside the perimeter, as drawn here, there is a danger of causing confusion about what is proper and what is right.  By marking the network device "B" as an Unrouted Switch (which I believe is done in order to parallel the picture above), a dangerous possibility of complete non-segmentation exists here.   Simply put: I believe it possible for an architect or non-security technologist to design to this diagram.  Why don’t we (8) display the right-and-proper way to do it instead?


Proper Architecture

Section 2.1.3 does provide a more appropriate segmentation of the network.  Placing any wireless access point on a different network is a proper way to do so, considering the business fact of "There is a different risk profile to wireless networks".   As I said before:


If there is no business reason to do it, don’t do it.


 More detail on the analysis of this paper will be next week, on Monday.

Thank you for reading!






Beginning next week I intend to make:

– all, of course, time allowing.





2 thoughts on “PCI DSS Wireless Analysis and Recommendations, Part 2

  1. Pingback: PCI DSS Wireless Analysis and Recommendations, Part 4 – Ariel Silverstone’s Security Blog «Ariel Silverstone

  2. Pingback: Ariel Silverstone» PCI DSS Wireless Analysis and Recommendations, Part 5 – Ariel Silverstone’s Security Blog

Leave a Reply

Your email address will not be published. Required fields are marked *