PDA

View Full Version : [PCI-DSS] Requirement 2: Do not use vendor-supplied defaults for system passwords and other security

  1. 2.1 Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).
  2. 2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wireless equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
  3. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).
  4. 2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)
  5. 2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function)
  6. 2.2.3 Configure system security parameters to prevent misuse
  7. 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
  8. 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access.
  9. 2.4 Hosting providers must protect each entitys hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: PCI DSS Applicability for Hosting Providers.