Learn more about Requirement 2 and getting your systems PCI compliant. 

By: Brand Barney
Security Analyst
CISSP, QSA
PCI Requirement 2 involves securing your systems. This includes things like passwords, configuration, and system hardening. Here’s a few things you’ll want to look at when getting compliant with PCI Requirement 2.

SEE ALSO: 5 Simple Ways to Get PCI Compliant



Changing Default Passwords

Devices such as routers or POS systems usually come straight from the vendor with factory settings like default usernames and passwords. This makes device installation and support easier, but it also means every model has the same username and password. Remember that even if the service provider isn’t compliant with PCI security standards, the merchant is still liable in the event of a data breach.

Most default passwords and settings are well known throughout hacker communities and are found via a simple Internet search. When defaults aren’t changed, it gives attackers an easy gateway into a system. Disable vendor defaults on every system that connects with the CDE to protect your data against unauthorized users.

Currently, passwords should be changed every 90 days and contain at least 7 characters, including numeric and alphabetic characters (meeting password complexity requirements). Passwords that fall short of these criteria can usually and easily be broken using a password-cracking tool.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

System Hardening

Any system used in the CDE needs to be hardened before being put into production.
This means you remove any unnecessary functionality in your system and configure what is left in a secure manner. Every application, service, driver, feature, and setting installed on a system introduces possible vulnerabilities.

To comply with Requirement 2.2, merchants should “address all known security vulnerabilities and [be] consistent with industry-accepted system hardening standards.” Some good examples of hardening guidelines are produced by the following organizations:
  • Center for Internet Security (CIS) 

  • International Organization for Standardization (ISO) 

  • SysAdmin Audit Network Security (SANS) Institute 

  • National Institute of Standards Technology (NIST) 

SEE ALSO: System Hardening Standards: How to Comply with PCI Requirement 2.2

System Configuration Management

Consistency is key when trying to maintain a secure environment. Once system hardening standards have been defined, it’s critical that they are applied to all systems in the environment in a consistent fashion. Once each system or device in the environment has been appropriately configured, you still aren’t done. Many organizations struggle to maintain standards over time, as new equipment or applications are introduced into the environment. 


This is where it pays to maintain an up-to-date inventory of all types of devices, systems, and applications that are used in your CDE. However, the list is no good if it doesn’t reflect reality.

Make sure someone is responsible for keeping the inventory current and based on what is in use. This way, applications or systems that are not approved for use in the CDE can be discovered and addressed. 


Many organizations, especially larger ones, turn to one of the many system management software packages on the market to assist in gathering and maintaining this inventory. These applications scan and report on hardware and software used in a network and can also detect when new devices are brought online. These tools are often also able to “enforce” configuration and hardening options, alerting administrators when a system is not compliant with your internal standard.

Additional tips to consider

Here are a few things to think about:
  • Train employees on policies: make sure employees are aware of policies surrounding password management, system configuration, etc.
  • Update documentation consistently: make sure you’re constantly documenting your updates, which helps prevent liability issues and organizes your security policies
  • Work with experts: if you’re not technically minded, it may be good to have an expert help you with specific configurations and system hardening
Need help in getting PCI compliant? Talk to us!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.