A WIPS should be configured to send automatic threat alerts and instantly notify concerned personnel about potential risks and attacks.

Archive logs of wireless activity over one year on a central server where the logs cannot be tampered and have past 90 days logs available for review immediately.

Review wireless access logs daily to check for any anomalous activity and follow up any exceptions. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary.

Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings.

Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization.

Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors.

Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details.

Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters.

Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP-encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control.

In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access.

A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the-middle attack, denial-of-service attack, and ad-hoc networks.

Physical access to authorized wireless APs and clients should be restricted to minimize tampering of these devices and exposure of cardholder data. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices.