What is PCI Requirement 2?
PCI Requirement 2 mandates, “Do not use vendor-supplied defaults for system passwords and other security parameters.” Were you aware that vendor-supplied default passwords and settings are well-known among the hacker community? PCI Requirement 2 was created to fight the malicious individuals who try to compromise systems with the vendor-supplied default information.
PCI Requirement 2 focuses on hardening your organization’s systems and assets. We’re here to help you understand that PCI Requirement 2 is not just about your servers, it’s about any asset within your environment. Applications, databases, something your organization has developed, something your organization purchased – all types of assets must be compliant with PCI Requirement 2.
Our PCI Requirement 2 videos will provide you with an overview of these 12 sub-requirements:
- 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
- 2.1.1: For wireless environments connected to the cardholder data environment or transmitting cardholder data, change all wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.
- 2.2: Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
- 2.2.1: Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server.
- 2.2.2: Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
- 2.2.3: Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
- 2.2.4: Configure system security parameters to prevent misuse.
- 2.2.5: Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
- 2.3: Encrypt all non-console administrative access using strong cryptography.
- 2.4: Maintain an inventory of system components that are in scope for PCI DSS.
- 2.5: Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
- 2.6: Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.
Introduction to Requirement 2
PCI DSS Requirement 2 is focused on hardening the systems. When we looked at Requirement 1, it was focused on hardening network; Requirement 2 is about hardening your systems and assets. Understand that this particular requirement is not just about your servers. Requirement 2 is about any asset within your environment, whether it be an application, whether it be a database, whether it be something you’ve developed, or whether it be something you’ve purchased off of a shelf, PCI DSS Requirement 2 would apply to those assets.