Wireless Activity Monitoring for PCI DSS Compliance
In an effort to be PCI DSS compliant, I took a trustkeeper.net questionnaire. I failed the question that asks:
Is the presence of wireless access points tested for by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use? (SAQ #11.1)
My only wireless access point is outside my firewall, so even if you cracked my wireless you couldn't get inside my domain running on Windows 2000 (unless you crack that too). My firewall is a Sonicwall Pro 2040 and doesn't have IPS - I couldn't tell if it had IDS. The router is a 8 port D-link.
I looked around for a wireless analyzer, but what I found was $500, which is a little pricey for my size business. Even if I got it, I'm not sure I would understand what it tells me. Surely there are smaller/less sophisticated businesses that take credit cards and have solved this?
What are the risks if someone were to crack my wireless? (Could they read all internet traffic? Just wireless traffic? Just use my internet connection?) And what is the best/cheapest way to test my connection point quarterly? Should I buy the $500 analyzer?
Update My credit card processor says I can fulfill this requirement by walking around the building and visually searching for unauthorized wireless devices.
