PCI Requirement 2.4 – Maintain an Inventory of In-Scope System Components

by Randy Bartels / December 22, 2022

Maintaining an Inventory of Assets We believe that if management is not aware of an asset, it’s probably not appropriately protected. Based on PCI Requirement 2.4, we think the PCI Security Standards Council and major card brands believe this as well. PCI Requirement 2.4 states, “Maintain an inventory of system components that are in scope for PCI DSS.” In order to comply with PCI Requirement 2.4, your organization must maintain…

PCI Requirement 2.3 – Encryption

by Randy Bartels / December 22, 2022

Administrative Access and Strong Encryption PCI Requirement 2.3 calls out the need to encrypt all non-console administrative access using strong cryptography. If your organization does not meet PCI Requirement 2.3, a malicious user could eavesdrop on your network’s traffic and gain sensitive administrative or operational information.     Your organization does not have to encrypt all types of access, just administrative access. So, what does “administrative access” mean? If a…

PCI Requirement 2.2.5 – Remove all Unnecessary Functionality

by Randy Bartels / December 22, 2022

Removing All Unnecessary Functionality PCI Requirement 2.2.5 states, “Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file system, and unnecessary web servers.” Unnecessary functions are yet another way that hackers could gain access to your system, so if a function is not needed, it needs to be shut off. The PCI DSS says that, “By removing all unnecessary functionality, organizations can focus on securing the functions that are…

PCI Requirement 2.2.4 – Configure System Security Parameters to Prevent Misuse

by Randy Bartels / December 22, 2022

Preventing Misuse PCI Requirement 2.2.4 requires, “Configure system security parameters to prevent misuse.” There are two parts to compliance with PCI Requirement 2.2.4. First, the technical part: your organization’s system configuration standards and hardening guidelines should discuss security settings that have known security implications for each type of system in use. Assessors will need to examine the configuration standards as part of this assessment, to ensure that common security parameter…

PCI Requirement 2.2.3 – Implement Additional Security Features

by Randy Bartels / December 22, 2022

Why Your Organization Needs To Implement Additional Security Features Under PCI Requirement 2, which focuses on hardening your organization’s systems and assets, we find PCI Requirement 2.2.3. PCI Requirement 2 is not just about your servers, it’s about any asset within your environment. PCI Requirement 2.2.3 is also about all types of assets within your environment. PCI Requirement 2.2.3 instructs, “Implement additional security features for any required services, protocols, or…