We have wireless logistics/inventory devices that don't interact with point-of-sale (POS) devices and don't process, store, or transmit card data but are on the same SSID as the POS devices. Are they in PCI DSS scope of the CDE? How can we be sure we are ensuring wireless PCI compliance?
Payment Card Industry (PCI) Data Security Standards (DSS) are intended to help merchants, service providers, and others involved in credit/debit card transactions strengthen payment card data handling. The PCI DSS framework specifies requirements for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.
To answer your question, we must first define "CDE." "Cardholder Data Environment: The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components." Cardholder Data consists of at least the full primary account number (PAN), and may include additional data such as cardholder name, expiration date and/or service code.
Digging further, "system components" are defined as "any network component, server, or application included in or connected to the cardholder data environment." So, in a wireless network, we need to identify network components and the PCI DSS imposed upon them. Specifically, look at requirement #1:
"Install and maintain a firewall and router configuration to protect cardholder data. Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality may also appear in other system components. Routers are hardware or software that connects two or more networks. All such devices are in scope for assessment of Requirement 1 if used within the cardholder data environment."
Circling back to your question, you have POS devices that handle cardholder data and inventory devices that don't handle cardholder data, both connecting to the same SSID. Assuming both are in fact connecting through the same APs and router, those network components are in scope because they're being used to relay cardholder data from POS devices.
Further clarification can be found in the PCI DSS scope clause: "If a wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI DSS and testing procedures for wireless environments apply and must be performed."
Note that even if you moved POS and inventory traffic onto different SSIDs, but still connected both through the same APs, those APs would be in scope. In short, if you want to remove your inventory devices from the CDE, you need to connect them via network components that are clearly separate from (that is, firewalled off) the CDE.
This was first published in October 2011