Requirement 2

Question 1

Requirement 2

Answer 1

Do not use vendor-supplied efaults for system passwords and other security parameters.

Question 2

Requirement 2.1

Answer 2

Always change vendor supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords including, but not lmited to those used by operating systems, software that provides security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.

Question 3

Requirement 2.1.a

Answer 3

Choose a sample of system components and attempt to log on (with system administrator help) to the devices and applications using default vendor supplied accounts and passwords to verify that ALL default passwords have been changed. Use vendor manuals and sources on the internet to find vendor supplied accounts / passwords).

Question 4

Requirement 2.1.b

Answer 4

For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications systems, POS terminals, SNMP, etc.) are removed or disabled.

Question 5

Requirement 2.1.c

Answer 5

Interview personnel and examine supporting documentation to verfiy that all vendor defaults are changed before a system is installed on the network and that unecessary default accounts are removed or disabled before a system is insalled on the network.

Question 6

Requirement 2.1.1

Answer 6

For wireless environments connected to the cardholder data environment or transmitting cardholder dta, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP commuinty strings.

Question 7

Requirement 2.1.1.a

Answer 7

Interview responsible personnel and examine supporting documentationt o verify that encryption keys were changed from default at installation and are changed any time anyone with knowledge of the keys leaves the company or changes position.

Question 8

Requirement 2.1.1.b

Answer 8

Interview personenl and examien policies and procedures to verify default SNMP community strings are requirement to be changed upon installation and default passwords/prhases on access points are required to be changed upon installation.

Question 9

Requirement 2.1.1.c

Answer 9

Examine vendor documentation and login to wireles devices, with system administrator help, to verify default SNMP community strings are not used and default passwords/passphrases on access points are not used.

Question 10

Requirement 2.1.1.d

Answer 10

Examine vendor documentation and observe wireless configuration settings to verify firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks.

Question 11

Requirement 2.1.1.e

Answer 11

Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed if applicable.

Question 12

Requirement 2.2

Answer 12

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted ssytem hardening standards. Sources of industry accepted system hardenign standards may include but are not limited to the Center for Internet Security (CIS), International Organisation for Standarisation (ISO), SysAdmin Audit Network Security (SANS) institute, and National Institute of Standards Technology (NIST)

Question 13

Requirement 2.2.a

Answer 13

Examine the organisation’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards.

Question 14

Requirement 2.2.b

Answer 14

Examien policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.

Question 15

Requirement 2.2.c

Answer 15

Examien policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.

Question 16

Requirement 2.2.d

Answer 16

Verify that system configuration standards include the folloing procedures for all types of system components: changing of all vendor supplied defaults and elimination of all unnecessary default accounts; implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server; enabling only necessary services, protocols, daemons, etc., as required for the function of the system; implementing additional security features for any required services, protocols, or daemons that are considered to be insecure; configuring system security parameters to prevent misuse; and removing all unnecesary functionality, such as scripts, drivers, features, subsystems, fie systems, and unnecessary web servers.

Question 17

Requirement 2.2.1

Answer 17

Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server (for example, web servers, database servers, and DNS should be implemented on separate servers). Note: where virtaulisation technologies are in use, implement only one primary function per virtual system component.

Question 18

Requirement 2.2.1.a

Answer 18

Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented per server.

Question 19

Requirement 2.2.1.b

Answer 19

If virtualisation technologies are used, inspect the system configurations to verify that only one primary function is implemented per virtual system component or device.

Question 20

Requirement 2.2.2

Answer 20

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

Question 21

Requirement 2.2.2.a

Answer 21

Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are neabled.

Question 22

Requirement 2.2.2.b

Answer 22

Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuraiton standards.

Question 23

Requirement 2.2.3

Answer 23

Implement additional security features for any required services, protocols, or daemons that are considered to be insecure - for example, use secured technologies such as SSH, S=FTP, SSL, or IPSec VPN to protect insecure services such as NetBUIS, file-sharing, Telnet, FTP, etc. // Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.

Question 24

Requirement 2.2.4

Answer 24

Configure system security parameters to prevent misuse.

Question 25

Requirement 2.2.4.a

Answer 25

Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.

Question 26

Requirement 2.2.4.b

Answer 26

Examine the system configuration standards to verify that common security parameter settings are included.

Question 27

Requirement 2.2.4.c

Answer 27

Select a sample of system components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.

Question 28

Requirement 2.2.5

Answer 28

Remove all unnecessary functionality such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

Question 29

Requirement 2.2.5.a

Answer 29

Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.

Question 30

Requirement 2.2.5.b

Answer 30

Examien the documentation and security parameters to verify that only documented functionality is present on the sampled system components.

Question 31

Requirement 2.3

Answer 31

Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. // Select a sample of system components and verify that non-console administrative access is encrypted by performing the following.

Question 32

Requirement 2.3.a

Answer 32

Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.

Question 33

Requirement 2.3.b

Answer 33

Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.

Question 34

Requirement 2.3.c

Answer 34

Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.

Question 35

Requirement 2.3.d

Answer 35

Examien vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implememented acording to industry best practices and/or vendor recommendations.

Question 36

Requirement 2.4

Answer 36

Maintain an inventory of system components that are in scope for PCI DSS.

Question 37

Requirement 2.4.a

Answer 37

Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of each function/use for each.

Question 38

Requirement 2.4.b

Answer 38

Interview personnel to verify the documented inventory is kept current.

Question 39

Requirement 2.5

Answer 39

Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.

Question 40

Requirement 2.6

Answer 40

Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.