Attackers often use default passwords and other vendor default settings to compromise systems. These passwords and settings are both well-known and easily accessible publicly for anyone to find. That is why it is imperative for merchants to update and secure system credentials.
Applying secure configurations to system components reduces the means available to an attacker to compromise the system. Changing default passwords; removing unnecessary software, functions, and accounts; and disabling or removing unnecessary services all help reduce the potential of an attack.
PCI DSS Requirement 2 outlines the specifics of how to keep systems secure and how to reduce the risk of an attacker gaining access to sensitive information. For additional details and specifics of Requirement 2, read on.
PCI DSS Requirement 2.1: Always change the default settings and values provided by the manufacturer and remove or disable unnecessary default accounts before installing any system on the network.
This rule applies to all devices, applications and systems within the scope of PCI. The default accounts and settings of all devices, applications, and systems covered under the PCI should be removed or disabled.
Also, change the default settings and values for all wireless systems, including default wireless encryption keys, passwords, and SNMP community strings, for wireless environments that connect or transmit cardholder data.
PCI DSS Requirement 2.2: Create configuration standards for all components of the system.
Make sure that the configuration standards address all known vulnerabilities and are consistent with industry-accepted hardening system standards.
Functions requiring different levels of security should not be run on the same server. The system configuration should be checked to ensure that only one primary function is running on a single server. For example, web servers and database servers need to be installed and run on separate servers.
In the case of using virtualization technologies, it is necessary to run a server that performs only one primary function per virtual system component.
Enable only the functions, protocols and services needed for the system to work. Remove unnecessary functions, protocols, and services from the system. Implement additional security measures for functions, protocols or services that are considered unsafe but required for the system to operate.
PCI DSS Requirement 2.3: Encrypt all non-console administrative access to devices using strong encryption.
Use technologies such as SSH, VPN or SSL / TLS for all web-based and non-console other administrative access. You should also verify that unsafe remote login commands are not used by reviewing parameter and configuration files for non-console access.
PCI DSS PCI DSS Requirement 2.4: Keep an inventory of all PCI DSS in-scope system components.
The list of software and hardware components should be kept up-to-date by checking to ensure compliance. Some system components may be forgotten when inventory is not maintained or updated and may result in under-definition of PCI coverage.
PCI DSS Requirement 2.5: Make sure that security policies and operational procedures are documented, in use, and known to all affected parties to manage the manufacturer’s default values and other safety parameters.
Employees need to be aware of and know about their organization’s information security policies and daily business procedures. To this end, the implementation of the policy should be reviewed. Also, all stakeholders should be made aware of the documentation.
PCI DSS Requirement 2.6: Shared hosting service providers must protect the environment and cardholder data hosted by each organization.
This requirement is designed for hosting service providers that offer hosting on a single server and share the system for multiple customers. Compliance with these requirements aims to protect the cardholder data of shared hosting service providers in shared environments by providing a secure environment.
Shared hosting service providers must meet the specific PCI DSS requirements in the annex created for PCI DSS Appendix A1: Shared Hosting Providers.
Don't miss out on my deep insights! Subscribe to my newsletter for regular updates on PCI DSS and stay informed about the latest trends and best practices.