PCI Requirements Explained - PCI Requirement 2 - Change Your Defaults!

This is the second blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. Click here for our blog post on requirement 1.  

I like to refer to this requirement as the Change Your Defaults requirement. The focus is on the configuration standards and secure function of your devices within your CDE.

PCI DSS Requirement 2 states “Do not use vendor-supplied defaults for system passwords and other security parameters.” The basis of this requirement is to make sure you are not using the default settings that are commonly known to hackers. Default settings are documented across the internet on tons of sites available to anyone.  

These challenges add more to the plate of the personnel responsible but should be viewed as a benefit to the overall IT Security posture of the company. Documentation throughout the PCI Requirements is an all too common theme. Some may view this as a fruitless exercise but, to the PCI world this is extremely important and greatly helps your quality of life and work. As an IT or Security professional, think of the scenario of you on vacation at the beach and the phone rings. Panic is heard on the other end of the line from one of your co-workers looking for what server may be the payment gateway for your CDE and they may need the IP address of that box. Having that information documented and readily available can ensure you are quickly back to your cooler on the beach!!

Companies that require PCI Compliance face some challenges within this requirement. Here are 3 examples of familiar challenges that we see related to PCI Requirement 2:

1. Standard configuration settings for the devices on your cardholder network. IT departments have numerous tasks on a daily and weekly basis, if these standards are identified, documented and then implemented every time a new device is put into production, this could increase the workload on any IT group. These standard configuration settings must include changing of all the default settings provided upon first boot or use of that device.
2. Within this requirement there is a procedure requiring one function per server. For any entity going through a PCI Assessment for the first time this requirement could greatly increase the cost and workload to comply with the PCI Requirements. There can be an argument that virtualization can greatly assist in meeting this requirement. The PCI Council has a published guidance in and around this requirement and suggest anyone that is up against a wall trying to meet this take a read through that guidance.
3. Inventory time!! This is a common challenge usually satisfied by creating a spreadsheet with some fields that must be manually updated. This simple method would satisfy the requirement, but we suggest an automated tool to help keep that populated and updated where possible. How much easier would it be on IT’s workload to just let the tool run and update itself as things change. This can really reduce the risk of missing updates or information within your CDE inventory.

These challenges are just some of the areas within the PCI requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance.