I had a question posed here a week ago that resulting in a discussion regarding whether or not PCI DSS requirement 1.2.3 can be marked as ‘Not Applicable’ or NA. What prompted this discussion is a post from long ago where I discussed certain requirements that cannot be marked as NA.
The discussion revolved around this statement from page 4 of the PCI Report On Compliance (ROC) Reporting Template in a discussion about the difference between Not Applicable and Not Tested.
“Using the example of wireless and an organization that does not use wireless technology in any capacity, an assessor could select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, after the assessor confirms that there are no wireless technologies used in their CDE or that connect to their CDE via assessor testing. Once this has been confirmed, the organization may select “N/A” for those specific requirements, and the accompanying reporting must reflect the testing performed to confirm the not applicable status.”
I can tell you right now that the Council’s Assessor Quality Management (AQM) team has called out the fact that when they say “does not use wireless technology in any capacity” they mean absolutely NONE, NADA, ZIP. I cannot tell you the number of discussions I and others have had in AQM reviews where they mark you down for missing this nuance. At the end of the day, their rule is that the minute a QSA sees wireless whether it is corporate wireless, guest wireless, whatever, that means that 1.2.3 must NOT be marked NA.
In discussions with a variety of QSAs, we all remarked that we regularly see sections 3.7 and 3.8 mention wireless networks as well as it is documented in the network diagrams in section 4.1. Yet, when you got down to 1.2.3 the QSA would mark it NA because the wireless did not connect to the CDE. In today’s ultra-connected world, it is extremely rare (as in almost never) that wireless is NOT present and operated by any organization. Even data centers have wireless installed in their facilities.
Even if that wireless is not in the CDE, the QSA is required to validate that the wireless has no direct access to the CDE. That is exactly why 1.2.3.b specifically asks:
“Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.”
The QSA must reply either ‘Yes’ or ‘No’ to 1.2.3.b. There is no NA option here.
If the answer to 1.2.3.b is ‘No’ (which is usually the case), the QSA is required to:
“Describe how firewall and/or router configurations verified that firewalls deny all traffic from any wireless environment into the cardholder environment.”
The bottom line is – if there is ANY mention of wireless networking anywhere other than the requirements in 11.1, then 1.2.3 must NOT be marked as NA.
Hopefully we are all clear on how to address wireless networks now.
PCI Guru 
Always find your blogs thought provoking and I agree in principle with what you have said here. However the PCI SSC muddy the waters since the RoC guidance says: “an assessor could select “N/A” for Requirements 1.2.3, 2.1.1, and 4.1.1, after the assessor confirms that there are no wireless technologies used in their CDE or that connect to their CDE via assessor testing. Once this has been confirmed, the organization may select “N/A” for those specific requirements,”.
The bottom line is that it is NOT as simple as just saying or checking NA and moving on. The assessor (QSA/ISA/someone) MUST explain what testing procedures were conducted and have the evidence documented to ensure that wireless is not applicable. That is where people go wrong.
We’ve wireless but this wireless network is totally separated network; not even sharing one single device with our CDE network. The only common is both network use the same ISP (but different public IP addresses). Does this fulfill the “N/A”?
Yes, but you MUST conduct appropriate testing to prove that the wireless network cannot access the cardholder data environment (CDE) and then use that as your rationale for marking wireless as NA. Even then, 1.2.3 and 11.1.x cannot be marked as NA as I explain in the post.