Preventing Misuse
PCI Requirement 2.2.4 requires, “Configure system security parameters to prevent misuse.”
There are two parts to compliance with PCI Requirement 2.2.4. First, the technical part: your organization’s system configuration standards and hardening guidelines should discuss security settings that have known security implications for each type of system in use. Assessors will need to examine the configuration standards as part of this assessment, to ensure that common security parameter settings are included. A sample of system components should also be inspected to make sure that anything considered risky or might be misused has the appropriate security controls in place to prevent that misuse.
Second, the personnel part: in order for your systems to be configured securely, the staff that is involved in managing these assets needs to have adequate technical and security expertise to understand what types of configuration settings might cause your systems to be misused or risky. To verify that your organization meets PCI Requirement 2.2.4, assessors need to have a conversation with the responsible staff to understand their general knowledge of the security of your system components.
PCI DSS Requirement 2.2.4
The PCI DSS tries to be a one-size-fits-most. The Council realizes that you cannot define security requirements for every situation in every environment. If that was the case, the particular standard being about 400 particular requirements would end up being a mile long.
When we look at the next requirement within the PCI DSS, it defines the needs to configure systems to prevent misuse. Really, what we’re looking for here, is that the administration staff that is involved in managing these assets has the technical expertise and the security expertise in order to understand what types of configuration settings might cause these systems to be misused or be risky. We’re looking for, from an assessment perspective, to have a conversation with the administration staff to understand their general knowledge of the security of these assets. We’re actually going to be looking at the configuration settings as part of this assessment as well, to make sure that anything that might be considered risky or might be misused in some capacity has the appropriate security controls in place to prevent that misuse.