PCI DSS 2.3.2: Change Wireless Encryption Keys When Personnel Leave
Wireless encryption key changes are a critical control point when staff depart or security is breached. PCI DSS 2.3.2 requires organizations to rotate encryption keys proactively and reactively to prevent unauthorized network access. This control directly protects cardholder data from former employees and compromised credentials.
What this means
Control 2.3.2 mandates that wireless encryption keys must be changed immediately when personnel with access leave the organization. Additionally, keys must be rotated whenever there is knowledge or reasonable suspicion that a key has been compromised. This prevents former employees from maintaining network access and eliminates the risk of known-compromised keys remaining active on your wireless infrastructure.
How to comply
- 1.Document all personnel who have access to wireless encryption keys and maintain an updated access roster
- 2.Establish a formal offboarding procedure that includes wireless key rotation as a mandatory step when any employee departs
- 3.Implement a process to immediately rotate keys upon detection or suspicion of compromise
- 4.Create and maintain change logs documenting all wireless key rotations, including dates, personnel involved, and reason for change
- 5.Test key rotation procedures regularly to ensure they execute without disrupting legitimate wireless access
- 6.Verify that new keys meet minimum entropy and length requirements for your wireless encryption standard
Evidence auditors look for
- Offboarding checklists with wireless key rotation sign-offs and completion dates
- Wireless encryption key rotation logs showing dates and reasons for each change
- Personnel access lists cross-referenced with key rotation records
- Incident reports documenting compromised key discovery and immediate remediation actions
- Wireless network configuration backups showing key changes pre- and post-rotation
- Change management tickets authorizing and tracking all key rotation events
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates wireless key rotation workflows and maintains complete audit trails, alerting you to required changes when offboarding events occur and generating the evidence logs auditors expect.
See how GRCWatch handles this control automatically
Start free trial