A firewall is a basic security mechanism for a secure network. A complete compliance to requirement 1 of the PCI DSS, i.e., implementing a fully functional firewall, will automatically lead to the compliance of requirement 2. However, it is important that the people and processes play their part in successful achievement of compliance.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Cyber criminals often make use of vendor supplied default passwords and settings to extract sensitive information. These passwords are easily known to hackers since they are common and can be easily guessed. If a default account is not to be used, it is still recommended to change the default password with a strong password and disable the account so that a hacker cannot enable it by using the default password.
2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
Compliance to this requirement can be achieved by taking a sample of system components and performing a check to log in with default passwords and accounts. Verification of changing of all default passwords needs to be done on all operating systems, software programs, system and application accounts, etc. Vendor supplied passwords can be used from vendor supplied manuals. The same procedure should be done for default accounts and a sample should be verified for the removal or disablement of all default accounts such as applications, POS terminals, SNMP, software providing security service, etc. In addition, personnel should be interviewed to check their awareness regarding the changing of passwords before installing a system on the network and the removal of unnecessary default accounts. Documentation supporting the necessary steps in this regard should also be reviewed. The same needs to be done for all wireless devices and wireless environment holding cardholder data.
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Databases, operating systems and applications that have known weaknesses also have solutions to get these security weaknesses fixed with the help of security professionals. For those who are not experts in security, some organizations have provided guidelines for system hardening to counter those weaknesses. System configuration guidelines must be updated to ensure that before a system is installed, all new and old weaknesses are identified and rectified.
For compliance, all system components should be verified to check that the system configuration standards are according to the hardening standards accepted by the industry. System configuration policies should be updated as new vulnerabilities keep on arising and should be applied when a new system is configured over a network.
The system configuration should be inspected to check that only one function should be executed on one server. If different functions requiring different levels of security are executed on one server, the functions with higher security level have their security reduced to the ones with lower security levels. The server functions that have low security level may also bring weakness for other functions in the server. In case of use of virtualization technology, system configuration should be checked to see that only one function is executed for every single virtual system.
Any unsecured system services and protocols that are enabled should be identified and it should be verified that only the required services and protocols are enabled. Documentation of security features of these insecure services and protocols should also be verified. All the unnecessary functionality such as drivers, subsystems, scripts, etc should be removed from the system configuration.
2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
If encryption is not applied during communication in a non-console administration, critical information related to the administrative rights and operations can be revealed to malicious users. This person can use this information to act as an administrator and steal important data by entering the network. Login details or traffic cannot be encrypted by clear-text protocols e.g. telnet, http), thus making the information more vulnerable to an eavesdropper. For strong encryption it is important to use industry accepted protocols.
In order to be able to comply to this requirement, verification of encryption of non console administrative access can be done by taking the following measures:
- Verify that strong encryption technique is used before the request of an administrator’s password.
- Verify that no insecure remote login commands are used for non-console access by reviewing parameter and service files.
- Verify that any access to web based interface by the administrator is encrypted.
- Verify that the industry best practices are in use for encryption by interviewing personnel and reviewing vendor documentation.
2.4 Maintain an inventory of system components that are in scope for PCI DSS.
This would help an organization to efficiently define the scope of their organization for PCI DSS compliance. Without maintaining an inventory, some of the system components can be forgotten and result in incomplete scope definition.
To achieve compliance, the list of software and hardware components should be checked and personnel should be interviewed to verify that the list is kept updated at all times. Every system component should also have their functionality mentioned next to their names.
2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
To ensure the regular implementation of security policy, it is important that the personnel should be well aware of the information security policy and daily operational procedures of their organization. For this purpose, the documentation of such a policy should be reviewed and personnel should be interviewed to confirm that the policies concerning the information security are documented, implemented, known and understood by all the stakeholders.
2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data.
This requirement is meant for those hosting providers who have shared hosting setup for more than one client on one server. When all the data exists on the same server, clients often find it hard to manage settings on this shared server. The clients therefore add insecure scripts and functions that have an effect on the overall security of all other clients on the server.
The PCI DSS has provided an Appendix A with the standard. It has some additional requirements for shared hosting providers that need to be complied with. Compliance to those requirements can verify that the shared hosting providers secure the cardholder data by ensuring a safe and secure environment.