All,

Basic Question
If a retailer has a site like a warehouse, that is completely removed from the CHD environment, but uses WEP, can it be removed from scope?

I think so. I'm looking for comments who agree or disagree.

More information:
Let's use a warehouse as an example as tons of retailers have warehouses and it could apply to many of our customers.
ACME has a warehouse. The warehouse has nothing to do with credit card transactions. Wireless is used at that warehouse for the handheld guns to check in and out inventory. That wireless is still using WEP because the handhelds would need to be replaced to support WPA. The warehouse networks (wired and wireless) are prevented by a stateful firewall from directly accessing any cardholder networks back at corporate or at the stores/website/whatever. The warehouse network traffic has been clearly locked down to only the systems and protocols needed for business and the rest denied. To reiterate, no IP at the warehouse can get to any IP on the cardholder data networks.

I think it is clearly possible to remove the warehouse from the PCI scope altogether. Since its out of scope, the wireless at it can remain at WEP because, who cares, there is no risk to the CHD.

Thoughts?

Sounds like a perfect example of network segregation being used to reduce the scope of your compliance requirements. No access to CHD = that area out of scope, therefore WEP away to your hearts content.

While AndrewJ is correct, your warehouse is out of scope, be aware, this is what got Best Buy in trouble a couple of years ago. Their inventory management system bar code guns running on wireless got interpreted as POS traffic and they got a lot of bad press even though they did their best to explain that it was only UPCs, not credit cards.

Always factor the 'bad press' into the equation. If your management isn't willing to take a hit over a non-PCI issue, then you might want to upgrade your WEP to WPA2.