Contact Us

Requirement 2: Apply secure configurations to all system components

2022 PSR

Please provide the information below to view the online Verizon Payment Security Report.

First Name: Last Name: E-mail: Organization: Organization type Country:

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

I confirm I have read and understood

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Requirement 2: Apply secure configurations to all system components

The goal	The goal of PCI DSS Key Requirement 2 is to develop, apply and maintain an effective, secure configuration management capability to all in-scope system components, reducing the means available to an attacker to ensure the CDE is not susceptible to attack. This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
Goal applicability and scope considerations	This goal applies to all in-scope system components, i.e., all applicable hardware and software applications, including wireless network components and components hosted in cloud environments, individuals and teams responsible for implementing and maintaining security configurations, and third parties that support IT system components.
Goal requirements: Some of the primary conditions necessary to achieve the goal	Capability—scope control: Create the capacity and ability for effective and sustainable ongoing identification of all in-scope digital assets and system components included in the security configuration management program Capability—change control: Develop an ability for effective, ongoing monitoring, recording, detection and response to configuration changes made to any in-scope component, and include discernment between authorized vs unauthorized modifications Effective communication: Maintain a complete set of documented configuration and system hardening policies, standards and procedures—with detailed change control standards and procedures for applying hardening standards that cover all types of system components and address all known security vulnerabilities. This should include procedures for removing unnecessary functionality from hardware and software applications, changing vendor defaults and commonly known default credentials or security parameters, and securing administrative access removed to avoid system components to ensure that they are not susceptible to attack upon implementation or after making any updates or changes Operating procedures: Maintain effective, clearly articulated standard operating procedures, regular training and staff education for meeting security change-configuration program performance standards Ongoing commitment: Include the formal assignment of roles and responsibilities to implement and adhere to policies, standards and procedures; measurement, reporting and improvement of security configuration management performance; and ongoing education and training of system administrators
Strong dependencies and integration with other key requirements	Requirement 6: Integration with system hardening requirements Requirement 1: Secure configuration of security network control components Requirement 11: Testing if changes to configurations resulted in or solved vulnerabilities Requirement 10: Logging and monitoring of network security control components
Short-term objectives	Scope and automation: Implement and maintain a configuration management system for the effective, automatic identification and status synchronization and reporting of all in-scope components across the entire CDE Communication: Document and effectively communicate configuration standards and implementation, management and monitoring procedures for all system components across the CDE
Long-term objectives	Improvement: Improve and refine configurations and support processes, integration, documentation and training Maturity: Achieve and maintain high-capability maturity and performance on all secure configuration operations, with low deviation from configuration standards and high capability for the rapid detection and correction of configuration nonconformities across the CDE
Common constraints	Capacity: Not having sufficient capacity of personnel to staff the secure configuration management team. Lack of proper identification of components due to lack of time and automation tools Cost: Lack of budget to procure the tools needed to automate the configuration management functions Competency: Lack of staff qualified to effectively apply secure configuration management tasks