23
Jul
19

Requirement 1.2.3 And Not Applicable

I had a question posed here a week ago that resulting in a discussion regarding whether or not PCI DSS requirement 1.2.3 can be marked as ‘Not Applicable’ or NA.  What prompted this discussion is a post from long ago where I discussed certain requirements that cannot be marked as NA.

The discussion revolved around this statement from page 4 of the PCI Report On Compliance (ROC) Reporting Template in a discussion about the difference between Not Applicable and Not Tested.

“Using the example of wireless and an organization that does not use wireless technology in any capacity, an assessor could select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, after the assessor confirms that there are no wireless technologies used in their CDE or that connect to their CDE via assessor testing. Once this has been confirmed, the organization may select “N/A” for those specific requirements, and the accompanying reporting must reflect the testing performed to confirm the not applicable status.”

I can tell you right now that the Council’s Assessor Quality Management (AQM) team has called out the fact that when they say “does not use wireless technology in any capacity” they mean absolutely NONE, NADA, ZIP.  I cannot tell you the number of discussions I and others have had in AQM reviews where they mark you down for missing this nuance.  At the end of the day, their rule is that the minute a QSA sees wireless whether it is corporate wireless, guest wireless, whatever, that means that 1.2.3 must NOT be marked NA.

In discussions with a variety of QSAs, we all remarked that we regularly see sections 3.7 and 3.8 mention wireless networks as well as it is documented in the network diagrams in section 4.1.  Yet, when you got down to 1.2.3 the QSA would mark it NA because the wireless did not connect to the CDE.  In today’s ultra-connected world, it is extremely rare (as in almost never) that wireless is NOT present and operated by any organization.  Even data centers have wireless installed in their facilities.

Even if that wireless is not in the CDE, the QSA is required to validate that the wireless has no direct access to the CDE.  That is exactly why 1.2.3.b specifically asks:

“Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.”

The QSA must reply either ‘Yes’ or ‘No’ to 1.2.3.b.  There is no NA option here.

If the answer to 1.2.3.b is ‘No’ (which is usually the case), the QSA is required to:

Describe how firewall and/or router configurations verified that firewalls deny all traffic from any wireless environment into the cardholder environment.”

The bottom line is – if there is ANY mention of wireless networking anywhere other than the requirements in 11.1, then 1.2.3 must NOT be marked as NA.

Hopefully we are all clear on how to address wireless networks now.


2 Responses to “Requirement 1.2.3 And Not Applicable”


  1. 1 Raylund Lai
    February 5, 2020 at 3:01 PM

    We’ve wireless but this wireless network is totally separated network; not even sharing one single device with our CDE network. The only common is both network use the same ISP (but different public IP addresses). Does this fulfill the “N/A”?

    • February 7, 2020 at 5:15 PM

      Yes, but you MUST conduct appropriate testing to prove that the wireless network cannot access the cardholder data environment (CDE) and then use that as your rationale for marking wireless as NA. Even then, 1.2.3 and 11.1.x cannot be marked as NA as I explain in the post.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

July 2019
M T W T F S S
« May   Aug »
1234567
891011121314
15161718192021
22232425262728
293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,158 other followers


%d bloggers like this: