Wi-Fi security has caught attention of laymen and the experts alike. After the recent frenzy in the media, it is now the turn of the regulators and compliance frameworks. PCI DSS 1.2 (https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf) has been released and is seen as an improvement rather than a replacement for PCI DSS 1.1. Of the few changes, two factors are significant, one the mandatory Application security aspect which was announced earlier and the other is the stringent measures suggested for Wi-Fi.

PCI DSS 1.2 now mandates use of 802.1x implementation for Wi-Fi networks. The current 802.11i implementation that use WEP and WPA need to be replaced. New implementations of WEP are not allowed after March 31, 2009. Current Wi-Fi implementations must discontinue use of WEP after June 30, 2010. 802.1x uses a client, service provider and an authentication server (such as RADIUS) as part of the access control and provides sophisticated access control. While the intention seems to secure the Wi-Fi network, this will in fact drive proper Identity and Access management throughout the enterprise.

Another interesting aspect is turning off SSID, is removed and is no longer a requirement. Reason given is it wouldn't help much, as SSID is available through other communication channels. Given that security is always a layered approach, I wonder what was the necessity of removing this? Convenience? Your comments are welcome!