Blog

PCI Requirement 2.6 – Shared Hosting Providers Must Protect Each Entity’s Hosted Environment

by Randy Bartels / December 22, 2022

What is a Shared Hosting Provider? PCI Requirement 2.6 exists to protect hosting environments. When multiple clients’ data is all on the same server, the security of the server often becomes susceptible to vulnerabilities. For example, one client could create insecure functions, but because the data is under the control of a single environment, the other clients’ data would also become compromised. This is why PCI Requirement 2.6 requires that…

PCI Requirement 2.5 – Ensure Security Policies Are Known to All Affected Parties

by Randy Bartels / December 22, 2022

Ensure that Policies and Procedures are Documented, In Use, and Known to All Affected Parties PCI DSS Requirement 2.5 addresses one of the most important aspects of the assessment. It directs, “Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.” If vendor defaults and other security measures are not continuously managed, it’s harder to…

PCI Requirement 2.4 – Maintain an Inventory of In-Scope System Components

by Randy Bartels / December 22, 2022

Maintaining an Inventory of Assets We believe that if management is not aware of an asset, it’s probably not appropriately protected. Based on PCI Requirement 2.4, we think the PCI Security Standards Council and major card brands believe this as well. PCI Requirement 2.4 states, “Maintain an inventory of system components that are in scope for PCI DSS.” In order to comply with PCI Requirement 2.4, your organization must maintain…

PCI Requirement 2.3 – Encryption

by Randy Bartels / December 22, 2022

Administrative Access and Strong Encryption PCI Requirement 2.3 calls out the need to encrypt all non-console administrative access using strong cryptography. If your organization does not meet PCI Requirement 2.3, a malicious user could eavesdrop on your network’s traffic and gain sensitive administrative or operational information. Your organization does not have to encrypt all types of access, just administrative access. So, what does “administrative access” mean? If a…

PCI Requirement 2.2.5 – Remove all Unnecessary Functionality

by Randy Bartels / December 22, 2022

Removing All Unnecessary Functionality PCI Requirement 2.2.5 states, “Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file system, and unnecessary web servers.” Unnecessary functions are yet another way that hackers could gain access to your system, so if a function is not needed, it needs to be shut off. The PCI DSS says that, “By removing all unnecessary functionality, organizations can focus on securing the functions that are…

PCI Requirement 2.6 – Shared Hosting Providers Must Protect Each Entity’s Hosted Environment

PCI Requirement 2.5 – Ensure Security Policies Are Known to All Affected Parties

PCI Requirement 2.4 – Maintain an Inventory of In-Scope System Components

PCI Requirement 2.3 – Encryption

PCI Requirement 2.2.5 – Remove all Unnecessary Functionality

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.