PCI Requirement 2.2.2 – Enable Only Necessary Services, Protocols and Daemons

by Randy Bartels / December 22, 2022

If It's Not Required, Get Rid of It We believe that the PCI DSS, or really any information security framework, boils down to a simple philosophy: if you do not need it or it is not required, get rid of it. PCI Requirement 2.2.2 directly correlates to this methodology. It directs, “Enable only necessary services, protocols, daemons, etc, as required for the function of the system.” Your business should be…

PCI Requirement 2.2.1 – Implement Only One Primary Function Per Server

by Randy Bartels / December 22, 2022

Finding Cross-Over Between Servers PCI Requirement 2.2.1 is another requirement focusing on hardening standards. PCI Requirement 2.2.1 states, “Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. Where virtualization technologies are in use, implement only one primary function per virtual system component.”     Assessors need to make sure that your systems only have one primary function per…

PCI Requirement 2.2 – Develop configuration standards for all system components

by Randy Bartels / December 22, 2022

Developing Configuration Standards After Industry Best Practices System configuration standards are the proper configuration of system components like networks, servers, and applications. PCI Requirement 2.2 ensures that organizations configure their systems to fix security vulnerabilities. There are two parts that need to be completed in order to comply with PCI Requirement 2.2. First, PCI Requirement 2.2 directs organizations to, “Develop configuration standards for all system components.” Your hardening and configuration…

PCI Requirement 2.1.1 – Change all Wireless Vendor Defaults

by Randy Bartels / December 22, 2022

Hardening Your Wireless Network Similar to the parent requirement, PCI Requirement 2.1, PCI Requirement 2.1.1 focuses on changing vendor-supplied defaults. PCI Requirement 2.1.1, though, relates to all wireless environments. If you’re using a wireless network or device that’s within scope of the PCI DSS, you must ensure that you change all wireless vendor defaults upon installation. You must also ensure that all security-related functions and features are enabled and that…

PCI Requirement 2.1 – Always Change Vendor-Supplied Defaults

by Randy Bartels / December 22, 2022

Why should you change vendor-supplied defaults? Vendor-supplied accounts and passwords pose a serious threat to your organization's security. Although defaults might make installation or even support easier, PCI Requirement 2.1 instructs service organizations to change vendor-supplied defaults because it is pretty simple for hackers to find the vendor-supplied information needed to attack and exploit your system. PCI Requirement 2.1 states, “Always change vendor-supplied defaults and remove or disable unnecessary default…