GRCWatch
Sign inStart free trial

PCI DSS 1.3.3: Isolate Wireless Networks from CDE

Wireless networks present unique security risks to cardholder data environments. PCI DSS 1.3.3 requires network security controls between all wireless networks and your CDE, regardless of whether the wireless network itself contains cardholder data. Proper isolation prevents unauthorized access and lateral movement within your network.

What this means

This control mandates that organizations install and maintain network security controls—such as firewalls or similar devices—between wireless networks and the cardholder data environment. The requirement applies to all wireless networks in your organization, whether they handle sensitive data or not. The goal is to prevent wireless networks from becoming an unintended entry point into systems that process, store, or transmit cardholder data.

How to comply

  1. 1.Identify all wireless networks in your organization, including guest networks and employee WiFi
  2. 2.Install network security controls (firewalls, intrusion prevention systems) at the boundary between wireless and wired networks
  3. 3.Configure NSCs to deny all traffic between wireless networks and the CDE by default
  4. 4.Document the network architecture showing wireless isolation and control placement
  5. 5.Test wireless-to-CDE connectivity to verify controls are blocking unauthorized access
  6. 6.Review and update firewall rules regularly to maintain proper segmentation
  7. 7.Monitor logs from network security controls for suspicious wireless access attempts

Evidence auditors look for

  • Firewall configuration files showing rules that isolate wireless networks from CDE
  • Network diagrams clearly depicting wireless networks segregated from cardholder data systems
  • Documentation of all wireless networks within the organization
  • Proof of penetration testing or vulnerability assessments validating wireless isolation
  • Security control implementation logs and timestamps for wireless NSCs
  • Change management records for firewall rule updates related to wireless segmentation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps your network architecture to PCI DSS requirements and flags wireless networks missing isolation controls, ensuring 1.3.3 compliance without manual network documentation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 1.1 - Firewall Configuration StandardsPCI DSS 1.2 - Firewall and Router ConfigurationPCI DSS 1.2.1 - Firewall Configuration DocumentationPCI DSS 2.2.4 - Network SegmentationPCI DSS 2.4 - Wireless Network Documentation