-
This requirement covers the controls that reduce the available attack surface on system components by removing unnecessary services, functionality and user accounts, and by changing nonsecure vendor default settings.
Requirement 2: Apply secure configurations to all system components
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 8. Global state of PCI DSS compliance: Requirement 2
-
Full compliance: Full compliance improved by 5.6 pp, from 64.9% to 70.5%. Despite the improvement, Requirement 2 is (jointly with Requirement 6) the second lowest-performing key requirement in terms of full compliance.
Control gap: The control gap improved slightly, decreasing from 7.0% to 5.2%. Requirement 2 has the third-highest control gap, after Requirements 11 and 10. Control 2.4 (inventory of system components) features in the Bottom-20 lists of controls. (See page 140).
Compensating controls: The use of compensating controls reduced significantly between 2019 and 2020, from 6.5% to 1.2%—the lowest use of compensating controls for Requirement 2 since at least 2015.
-
Figure 9. Requirement 2 control performance
-
-
A tip on sustainable control effectiveness
Organizations are often unaware that vendor default settings are used on system components within the CDE, due to third-party installation and other reasons. It’s critical to increase internal training on secure configuration standards as well as to automate the management and maintenance of devices to maintain cryptographic keys and configuration and authentication settings, and to schedule frequent internal assessments to confirm compliance.
-
Requirement 2: Apply secure configurations to all system components
The goal
The goal of PCI DSS Key Requirement 2 is to develop, apply and maintain an effective, secure configuration management capability to all in-scope system components, reducing the means available to an attacker to ensure the CDE is not susceptible to attack.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
This goal applies to all in-scope system components, i.e., all applicable hardware and software applications, including wireless network components and components hosted in cloud environments, individuals and teams responsible for implementing and maintaining security configurations, and third parties that support IT system components.
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Capability—scope control: Create the capacity and ability for effective and sustainable ongoing identification of all in-scope digital assets and system components included in the security configuration management program
- Capability—change control: Develop an ability for effective, ongoing monitoring, recording, detection and response to configuration changes made to any in-scope component, and include discernment between authorized vs unauthorized modifications
- Effective communication: Maintain a complete set of documented configuration and system hardening policies, standards and procedures—with detailed change control standards and procedures for applying hardening standards that cover all types of system components and address all known security vulnerabilities. This should include procedures for removing unnecessary functionality from hardware and software applications, changing vendor defaults and commonly known default credentials or security parameters, and securing administrative access removed to avoid system components to ensure that they are not susceptible to attack upon implementation or after making any updates or changes
- Operating procedures: Maintain effective, clearly articulated standard operating procedures, regular training and staff education for meeting security change-configuration program performance standards
- Ongoing commitment: Include the formal assignment of roles and responsibilities to implement and adhere to policies, standards and procedures; measurement, reporting and improvement of security configuration management performance; and ongoing education and training of system administrators
Strong dependencies and integration with other key requirements
- Requirement 6: Integration with system hardening requirements
- Requirement 1: Secure configuration of security network control components
- Requirement 11: Testing if changes to configurations resulted in or solved vulnerabilities
- Requirement 10: Logging and monitoring of network security control components
Short-term objectives
- Scope and automation: Implement and maintain a configuration management system for the effective, automatic identification and status synchronization and reporting of all in-scope components across the entire CDE
- Communication: Document and effectively communicate configuration standards and implementation, management and monitoring procedures for all system components across the CDE
Long-term objectives
- Improvement: Improve and refine configurations and support processes, integration, documentation and training
- Maturity: Achieve and maintain high-capability maturity and performance on all secure configuration operations, with low deviation from configuration standards and high capability for the rapid detection and correction of configuration nonconformities across the CDE
Common constraints
- Capacity: Not having sufficient capacity of personnel to staff the secure configuration management team. Lack of proper identification of components due to lack of time and automation tools
- Cost: Lack of budget to procure the tools needed to automate the configuration management functions
- Competency: Lack of staff qualified to effectively apply secure configuration management tasks