The PCI DSS Wireless Guidelines Informational Supplement version 2.0 references several security methods. This document specifies the highest possible security method for each device. However, it is sometimes not practical to use all the recommendations specified in the supplement. See below:
From Section 4.4.1 Summary of Recommendations:
WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption is recommended for WLAN networks.
It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase and AES encryption.
Pre-Shared Keys should be changed on a regular basis.
Centralized management systems that can control and configure distributed wireless networks are commended.
The use of WEP in the CDE is prohibited for all deployment after June 30, 2010.
Generally applicable wireless requirements. These are requirements that all organizations should have in place to protect their networks from attacks by way of rogue or unknown wireless Access Points (APs) and clients. They apply to organizations regardless of their use of wireless technology and regardless of whether the wireless technology is a part of the CDE or not. As a result, they are generally applicable to organizations that wish to comply with PCI DSS.
Requirements applicable for in-scope wireless networks. These are requirements that all organizations that transmit payment card information over wireless technology should have in place to protect those systems. They are specific to the usage of wireless technology that is in scope for PCI DSS compliance, namely the Cardholder Data Environment (CDE). These requirements apply in addition to the universally applicable set of requirements.
This document assumes that all Access Points operate inside the CDE scope as explained in the PCI DSS Wireless Implementation Guide 2.0.
Wireless Equivalency Privacy (WEP) keys
Default Services Set Identifiers (SSID)
Default Passwords
SNMP Community Strings
Disable SSID Broadcasts
Enable Wi-Fi protected access (WPA or WPA2) technology for encryption EAP authentication when WPA-capable
Default settings must be changed before the site goes live to maintain PCI compliancy.
All wireless encryption keys must be changed at least once a year to maintain PCI compliancy.
For wireless networks transmitting cardholder data, encrypt the transmissions by using Wi-Fi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN.
Use with a minimum 104-bit encryption key and 24 bit-initialization value
Use ONLY in conjunction with Wi-Fi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
Rotate shared WEP keys quarterly (or automatically if the technology permits)
Rotate shared WEP keys whenever there are changes in personnel
Restrict access based on media access code (MAC) address