PCI DSS 2.3.1: Change Wireless Vendor Defaults in Your CDE
Wireless networks connected to your cardholder data environment (CDE) are a prime attack vector when left with manufacturer defaults. PCI DSS 2.3.1 requires you to replace or verify all wireless vendor defaults before deployment. This control closes a critical gap that attackers exploit to gain network access.
What this means
Any wireless access points, routers, or controllers connected to your CDE must have all default credentials, settings, and configurations replaced with secure alternatives at installation. If you inherit existing wireless infrastructure, you must verify that defaults have already been changed and are genuinely secure—not simply assumed safe. This applies to SSIDs, encryption keys, management interfaces, and administrative passwords.
How to comply
- 1.Identify all wireless devices connected to or accessible from your CDE before deployment
- 2.Access each wireless device's management interface using documented default credentials
- 3.Change all default usernames and passwords to strong, unique credentials stored in your password manager
- 4.Disable or rename default SSIDs; configure custom network identifiers
- 5.Verify encryption is set to WPA2 or WPA3 (not WEP or open networks)
- 6.Disable remote management features unless explicitly required
- 7.Document the original defaults, changes made, and date of change for each device
- 8.Audit existing wireless infrastructure to confirm prior default changes are in place and effective
- 9.Remove or isolate any legacy wireless devices that cannot meet security requirements
Evidence auditors look for
- Wireless device configuration screenshots showing changed admin credentials and custom SSID
- Change log or ticket system entries documenting default password changes with dates
- Wireless security audit report confirming encryption standards (WPA2/WPA3) and disabled unnecessary services
- Inventory spreadsheet mapping wireless devices to CDE scope and change verification status
- Before/after device configuration exports showing default values replaced
- Compliance checklists signed by IT personnel confirming vendor defaults were addressed
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates wireless device discovery and tracks which defaults have been changed across your CDE, so you never lose visibility into which access points still need hardening.
See how GRCWatch handles this control automatically
Start free trial