Read this blog to learn what the requirement entails, how to harden your systems, and manage your system configurations.
Did you know that most merchants assume that hardening is part of a POS installer’s job? Unfortunately, this assumption means that many merchants are unaware that they are required to harden their own systems to meet PCI requirement 2.
Read this blog to learn what the requirement entails, how to harden your systems, and manage your system configurations.
PCI Requirement 2 involves securing your systems. This includes things like passwords, configuration, and system hardening.
“The key to effective system configuration and hardening is consistency. Once you have identified the systems and applications that need attention and documented a standard that meets your environment’s requirements, make sure processes are in place to follow this standard as time goes on. Keep your standard and process up to date as your business changes and as you discover new threats and vulnerabilities,” - Jen Stone, SecurityMetrics Principal Security Analyst.
Here are a few things you’ll want to consider when getting compliant with PCI Requirement 2.
See also: 5 Simple Ways to Get PCI Compliant
Devices like routers or POS systems usually come straight from the vendor with factory settings like default usernames and passwords. This makes device installation and support easier, but it also means every model has the same username and password.
Remember that even if the service provider isn’t compliant with PCI security standards, the merchant is still liable in the event of a data breach.
Most default passwords and settings are well-known throughout hacker communities and can be found via a simple Internet search. When defaults aren’t changed, attackers have an easy gateway into a system. To protect your data against unauthorized users, disable vendor defaults on every system that connects with the CDE.
For PCI DSS 4.0, passwords must be changed every 90 days for single-factor cases and contain at least 12 characters, including numbers and letters.
See also: How to Do Passwords Right: Password Management Best Practices
See also: SecurityMetrics PCI Guide
Every application, service, driver, feature, and setting installed on a system introduces possible vulnerabilities. This means you must remove any unnecessary functionality in your system and configure what is left in a secure manner.
To comply with PCI Requirement 2.2, merchants should “address all known security vulnerabilities and [be] consistent with industry-accepted system hardening standards.” The following organizations produce some good examples of hardening guidelines:
See also: System Hardening Standards: How to Comply with PCI Requirement 2.2
Consistency is key when trying to maintain a secure environment. Once system hardening standards have been defined, they must be applied to all systems in the environment consistently.
Once each system or device in the environment has been appropriately configured, you still aren’t done. Many organizations struggle to maintain standards over time, as new equipment or applications are introduced into the environment.
This is where it pays to maintain an up-to-date inventory of all types of devices, systems, and applications that are used in your CDE. However, the list is no good if it doesn’t reflect reality.
Make sure someone is responsible for keeping the inventory current, based on what is in use. This way, applications or systems that are not approved for use in the CDE can be discovered and addressed.
Many organizations, especially larger ones, turn to one of the many system management software packages on the market to assist in gathering and maintaining this inventory. These applications scan and report on hardware and software used in a network and can also detect when new devices are brought online. These tools are often also able to “enforce” configuration and hardening options, alerting administrators when a system is not compliant with your internal standard.
Here are a few tips to keep in mind for this requirement:
Remember PCI requirement 2 is still the responsibility of those who process credit card payments, whether they have a POS installer or not.
“SecurityMetrics is an integral part of the team in our PCI program. We depend on the assessors to make sure that we stay on the compliance track. They do it by developing relationships across campus, discussing upcoming projects or application changes, and being available to us for consulting. They are knowledgeable, helpful and help us keep the campus engaged by their friendly demeanors” - Robbyn Lennon, University of Arizona.
If you need help becoming PCI compliant, please contact our experts or check out further resources here.