GRCWatch
Sign inStart free trial

PCI DSS 11.2.1: Manage Authorized and Unauthorized Wireless APs

Rogue wireless access points pose a critical threat to payment card data security. PCI DSS 11.2.1 requires organizations to detect both authorized and unauthorized wireless APs to prevent unauthorized network access. This control ensures your wireless infrastructure stays compliant and secure.

What this means

This control mandates the detection and active management of all wireless access points in your environment. You must identify which APs are authorized for business use and immediately detect any unauthorized or rogue devices that could bypass your network security. Effective management includes documenting authorized APs, monitoring for unauthorized activity, and removing or disabling non-compliant devices.

How to comply

  1. 1.Conduct a complete inventory of all wireless access points and document which are authorized for your environment
  2. 2.Implement wireless detection tools (site surveys, spectrum analysis) to identify both authorized and unauthorized APs
  3. 3.Establish monitoring processes to continuously scan for rogue access points on your network perimeter
  4. 4.Define a clear policy specifying which APs are authorized, their locations, and approved configurations
  5. 5.Document all detected unauthorized APs and implement immediate response procedures for removal or disabling
  6. 6.Perform periodic wireless penetration testing to validate detection and management effectiveness
  7. 7.Train network staff on wireless security protocols and rogue AP identification procedures

Evidence auditors look for

  • Wireless network inventory spreadsheet with authorized AP details (SSID, MAC address, location, owner)
  • Site survey reports documenting RF (radio frequency) coverage and unauthorized device detection
  • Wireless detection tool logs and dashboards showing continuous monitoring of authorized/unauthorized APs
  • Incident response records documenting discovery and remediation of rogue access points
  • Wireless security policy defining authorization criteria and management procedures
  • Penetration test reports validating rogue AP detection capabilities
  • Network segmentation documentation isolating wireless traffic from cardholder data environments

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates wireless access point inventory tracking and generates automated detection reports tied to your authorization baseline, eliminating manual site survey overhead while maintaining continuous compliance with PCI DSS 11.2.1.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 11.1 — Wireless Access Point DetectionPCI DSS 1.1.3 — Firewall Configuration StandardsPCI DSS 6.2 — Security Patches and Updates