PCI DSS Requirement 2 | Vendor Supplied Defaults | Expert Advice

PCI DSS Requirement 2 is the second out of 12 requirements of the PCI DSS initiatives. What’s important to note about PCI DSS Requirement 2 is that it deals largely with removing vendor supplied default password before putting these new system components on the network in the cardholder environment.

Specifically, as stated by the PCI DSS, Requirement 2 is stated in the following:

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Malicious individuals (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

Under this main requirement, which is essentially just a statement, are a number of “tests” that organizations have to undertake for ensuring they meet the demands of PCI DSS Requirement 2.

Many of the tests that are undertaken for PCI DSS Requirement 2 (and for many of the other requirements also) used the phrase “system components” often and often. You need to really understand what this phrase means, and, according to the official PCI DSS wording, “system components” is Any network component, server, or application included in or connected to the cardholder data environment.

You will see the phrase “system components” in Requirement 2 often, so again, understand what it really means. I will be delving much deeper into each of the 12 requirements, but am first giving readers a high level, common understanding of what each requirement actually means and will then circle back in the coming weeks and months.

If you want to learn more about PCI DSS compliance, visit pciassessment.org