In wireless environments connected to the cardholder data environment, which action should be taken at installation?

• A. Change all wireless vendor defaults at installation, including default encryption keys, passwords, and SNMP community strings.
• B. Change only wireless passwords.
• C. Do not change vendor defaults; rely on existing security controls.
• D. Disable wireless until PCI scope is removed.

Answer: (A)

Defaults on wireless devices are easy targets for attackers. At installation, any wireless device connected to the cardholder data environment should be hardened by changing all vendor defaults—encryption keys, passwords, and SNMP community strings. These defaults are often published or easily guessable, so leaving them in place gives an attacker quick access to the device and potentially the network. By applying unique credentials and fresh keys from the start, you remove that predictable entry point and greatly reduce the risk of compromise. Relying on only changing passwords or on existing controls, or disabling wireless until PCI scope changes are impractical approaches when proper hardening is feasible now. This practice aligns with PCI DSS guidance that vendor defaults should not be used for security parameters.