Back to Dashboard
Req 2: Apply Secure Configurations to All System Components
Harden systems by changing vendor defaults.
Responsibility
Shared
Compliance Status
In Progress
85%Overview
Vendor-supplied defaults for system passwords and other security parameters are a common target for attackers. This requirement ensures that all system components are configured securely and that default settings are changed.
Key Actions for Compliance
A non-exhaustive list of actions your organization should take to meet this requirement.
- Develop and maintain secure configuration standards for all system components.
- Change all vendor-supplied default passwords and remove or disable unnecessary default accounts before installing a system on the network.
- Encrypt all non-console administrative access using strong cryptography.
- Maintain an inventory of all system components that are in scope for PCI DSS.
Testing Procedures (Simplified)
How auditors may verify that this requirement is met.
- Examine system configuration standards to ensure they are consistent with industry-accepted hardening standards.
- Interview personnel and examine system settings to verify that vendor-supplied defaults have been changed.
- Check that non-console administrative access is encrypted using technologies like SSH, VPN, or TLS.