I had a question posed here a week ago that resulting in a discussion regarding whether or not PCI DSS requirement 1.2.3 can be marked as ‘Not Applicable’ or NA. What prompted this discussion is a post from long ago where I discussed certain requirements that cannot be marked as NA.
The discussion revolved around this statement from page 4 of the PCI Report On Compliance (ROC) Reporting Template in a discussion about the difference between Not Applicable and Not Tested.
“Using the example of wireless and an organization that does not use wireless technology in any capacity, an assessor could select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, after the assessor confirms that there are no wireless technologies used in their CDE or that connect to their CDE via assessor testing. Once this has been confirmed, the organization may select “N/A” for those specific requirements, and the accompanying reporting must reflect the testing performed to confirm the not applicable status.”
I can tell you right now that the Council’s Assessor Quality Management (AQM) team has called out the fact that when they say “does not use wireless technology in any capacity” they mean absolutely NONE, NADA, ZIP. I cannot tell you the number of discussions I and others have had in AQM reviews where they mark you down for missing this nuance. At the end of the day, their rule is that the minute a QSA sees wireless whether it is corporate wireless, guest wireless, whatever, that means that 1.2.3 must NOT be marked NA.
In discussions with a variety of QSAs, we all remarked that we regularly see sections 3.7 and 3.8 mention wireless networks as well as it is documented in the network diagrams in section 4.1. Yet, when you got down to 1.2.3 the QSA would mark it NA because the wireless did not connect to the CDE. In today’s ultra-connected world, it is extremely rare (as in almost never) that wireless is NOT present and operated by any organization. Even data centers have wireless installed in their facilities.
Even if that wireless is not in the CDE, the QSA is required to validate that the wireless has no direct access to the CDE. That is exactly why 1.2.3.b specifically asks:
“Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.”
The QSA must reply either ‘Yes’ or ‘No’ to 1.2.3.b. There is no NA option here.
If the answer to 1.2.3.b is ‘No’ (which is usually the case), the QSA is required to:
“Describe how firewall and/or router configurations verified that firewalls deny all traffic from any wireless environment into the cardholder environment.”
The bottom line is – if there is ANY mention of wireless networking anywhere other than the requirements in 11.1, then 1.2.3 must NOT be marked as NA.
Hopefully we are all clear on how to address wireless networks now.
PCI Guru 