PCI DSS 11.2.2: Maintain Wireless Access Point Inventory
Wireless networks present significant security risks if left uncontrolled. PCI DSS 11.2.2 requires you to maintain a complete, documented inventory of every authorized wireless access point with clear business justification. This control prevents unauthorized access points from creating hidden entry points into your cardholder data environment.
What this means
You must document every wireless access point authorized to operate within or near your network environment. Each entry point needs business justification explaining why it's necessary for operations. This inventory serves as your baseline for detecting rogue or unauthorized wireless devices that could bypass your security controls and expose payment card data.
How to comply
- 1.Conduct a complete site survey to identify all active wireless access points across your organization
- 2.Document each access point with technical details: MAC address, SSID, location, and frequency band
- 3.Assign business justification to each access point explaining operational necessity
- 4.Establish ownership and maintain contact information for each device
- 5.Implement a change control process for adding, modifying, or removing access points
- 6.Perform quarterly or semi-annual re-inventories to identify unauthorized devices
- 7.Compare actual devices against your authorized inventory during assessments
Evidence auditors look for
- Wireless access point inventory spreadsheet with MAC addresses, locations, and business justifications
- Network diagrams showing authorized wireless coverage areas
- Change control documentation approving new access points
- Site survey reports from wireless assessments
- Quarterly inventory reconciliation records
- Configuration management database entries for wireless devices
- Photographs or floor plans marking access point locations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically catalogs your wireless infrastructure and flags devices not matching your authorized inventory, eliminating manual scanning and reducing rogue device detection time from hours to minutes.
See how GRCWatch handles this control automatically
Start free trial