PCI DSS Requirement 2: Do not use the vendor’s default settings and values for system passwords and other security parameters
Malicious people often use default vendor passwords and other default settings to gain unauthorized access to the systems. Default passwords and settings are well known to attackers and easily accessible on the internet.
PCI DSS Requirement 2.1: Always change the vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
Vendor-created default settings, usernames and passwords are often used by malicious people to access operating systems, programs, and devices easily. Changing these settings will make the systems more secure against attacks, as these default settings are often posted in hacker communities and are easily accessible over the internet.
Even if the default accounts are not intended to be used, a malicious attacker can identify and re-enable the default account. It is therefore essential to prevent attackers from accessing and misusing default passwords by replacing the default passwords with robust and unique passwords and disabling the account.
You can check this requirement by trying to sign in to devices and apps using the accounts and passwords provided by the manufacturer. You can use the vendor guides and resources on the internet to find the accounts and passwords supplied by the vendor.
If there are default accounts such as “admin”, “administrator” or “guest” on devices or applications, remove them and change them to identify unique users. In this way, the accounts will be associated with the relevant users and will be traceable.
Before installing a system on the network, having an item in your procedures related to changing the defaults provided by the vendor and removing unnecessary default accounts will offer a basic secure installation standard for your organization.
PCI DSS Requirement 2.1.1: Change all wireless default settings and values preset by the manufacturer, including wireless encryption keys, passwords, and SNMP community strings for wireless environments that connect to or transmit cardholder data.
When the default settings of wireless networks are not changed, and appropriate security configurations are not installed, attackers can quickly enter the network and monitor traffic passing over wireless networks, and easily capture data and passwords.
Also, the key exchange protocol is disabled for older versions of 802.11x encryption, which can make encryption useless. Device software should be updated or replaced to support more reliable protocols.
You can apply the following controls to meet this requirement:
- During installation, the encryption keys must be changed from the default keys.
- Encryption keys need to be changed when people who know the keys leave the company or change positions.
- After installation, the default SNMP community strings should be changed.
- Default passwords for access points must be changed after installation.
- Authentication must be carried out over wireless networks.
- Check the manufacturer’s documentation and the wireless configuration settings to verify that the default wireless network settings and values have been changed.
PCI DSS Requirement 2.2: Set configuration standards for all system components. Make sure these standards address all known vulnerabilities and are consistent with industry hardening standards.
Various vulnerabilities exist in most operating systems, databases and enterprise applications. Some settings need to be made in system configurations to address the security vulnerabilities of these systems. Some security agencies publish system hardening guidelines and recommendations that indicate how to handle such vulnerabilities in support of non-security experts.
Examples of configuration standard sources are Nist, Sans, Cis security, Iso, and the manufacturer’s instructions.
Before the system is installed on the network, it is necessary to keep the system configuration standards up-to-date to fix security vulnerabilities and to comply with hardening procedures.
System configuration standards must be consistent with industry-accepted hardening standards. System configuration standards should be updated as new vulnerabilities are identified.
System configuration standards should include the following items:
- All default settings provided by the manufacturer need to be changed, and the default accounts need to be removed.
- Only one primary function should be implemented per server to isolate tasks that require different levels of security.
- Only the services and protocols required for the system to work must be enabled.
- Additional security measures should be taken if necessary services and protocols that are considered unsafe are required.
- Security parameters need to be adjusted to prevent abuse.
- Any unnecessary functions such as scripts, drivers, features, subsystems, file systems and unnecessary web servers should be removed from the system.
PCI DSS Requirement 2.2.1: Do not host functions that require different levels of security on the same server. Ensure that there is only one application that performs one primary function per server.
When functions requiring different levels of security are placed on the same server with lower security functions, the level of protection for higher security requirements decreases, also, server functions with a lower level of security can create additional vulnerabilities on the same server.
Organizations must understand the security requirements of different server functions as part of the system configuration settings, ensuring that functions requiring different levels of security are not present on the same server.
For example, web servers, database servers, and DNS servers must be installed on separate servers. Only one primary function per virtual system component should be implemented in the case of the use of virtualization technologies.
PCI DSS Requirement 2.2.2: Enable only the services, protocols, and procedures required for the system to work.
Many protocols are commonly used by malicious individuals to compromise a corporate network. Only appropriate resources and protocols should be allowed as part of the organization’s configuration standards and associated processes.
Existing configurations must comply with the system hardening procedures and the configuration standards set by the organization.
PCI DSS Requirement 2.2.3: Implement additional security measures for services that are considered insecure but are required.
Enabling security features and applying installation standards before installing new servers prevents servers with insecure configurations from being added to the network.
Ensuring that all vulnerable services and protocols are adequately protected with adequate security features makes it difficult for malicious individuals to take advantage of the attack techniques that are used frequently.
For information on strong encryption and secure protocols, you can review industry standards and best practices, such as NIST SP 800-52 and SP 800-57 and OWASP.
PCI DSS Requirement 2.2.4: Configure system security parameters to prevent abuse.
System configuration standards and related procedures should specifically address security settings and parameters that have security implications for each type of system used.
To configure the systems securely, the personnel responsible for managing the systems must be familiar with the specific security parameters and settings that apply to the system.
PCI DSS Requirement 2.2.5: Remove all unnecessary functions such as scripts, drivers, features, subsystems, file systems and unnecessary web servers.
Unnecessary functions can give malicious people additional opportunities to access the systems. Organizations should focus on securing the necessary functions by removing unnecessary features and reducing the possibility of misusing unknown functions. Organizations can thus focus on maintaining the required functions and reduce the risk of unnecessary functions.
Server hardening standards should include specific security risks associated with unnecessary functions. For example, if the server will not perform FTP or web server functions, these functions must be removed or disabled from the server.
Only the functions and services determined by the configuration standards and hardening procedures should be included on the systems.
PCI DSS Requirement 2.3: Encrypt all administrative access, except console access using strong encryption.
All non-console access, including remote access, must have secure authentication mechanisms and communication must be encrypted using robust encryption methods.
When secure authentication and encrypted communication is not used for non-console access, confidential administrative or operational-level information can be compromised by malicious individuals. This information can be used by a malicious person to access the network, have administrative rights and steal data.
Clear text protocols such as HTTP or telnet do not encrypt traffic or login data so that private listeners can capture or intercept this information.
The key strength and key management used to be considered as strong cryptography and encryption are essential. Protocols recognized by the industry should be implemented by the type of technology used. Industry standards such as NIST SP 800-52, SP 800-57, OWASP can be applied for strong encryption.
Review system services and parameter files to determine if telnet or other insecure remote login protocols are not used on the system.
PCI DSS Requirement 2.4: Keep an inventory of PCI in-scope system components
Keeping an up-to-date list of all system components covered by PCI will enable the organization to accurately and efficiently define the scope of their environment for PCI DSS audits. Most device components can be forgotten, ignored without inventory, and accidentally removed from the organization’s configuration standards.
The hardware and software components inventory list should include a description of the usage of each function, and the changes should be updated in the inventory list.
PCI DSS Requirement 2.5: Ensure that security policies and operational procedures are documented, in use, and known to all affected parties to manage manufacturer default settings and other security parameters.
Employees need to be aware of and support security policies and day-to-day operating procedures to ensure that vendor defaults and other compliance features are continuously managed to prevent unsafe configurations and installations.
This requirement is designed for hosting providers that provide multiple clients with a shared hosting environment on the same server and applies only to shared hosting providers.
Usually, settings on these shared servers cannot be managed by individual clients when all data is on the same server and controlled by a single environment. Therefore, it allows clients to add insecure functions and scripts that affect the security of all other client environments so that it is possible for all other customers to access data when a malicious intruder accesses the data of an unauthorized client.
Shared hosting providers must comply with the specific requirements of Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.
For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library.