Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

All vendor-supplied default passwords must be changed on all devices in the cardholder data environment (CDE). This includes operating system and application passwords on servers, workstations, routers, access points, etc.

System configuration standards must be documented and followed for all systems in the CDE. These configuration standards must be based on an industry-accepted hardening standard, such as one of the following:

• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).

Remove or disable all unnecessary functionality of devices in the CDE. For example, unused web servers, print spoolers, and shared file systems services should be disabled.

Disable all insecure methods of remote administration for all devices. For example, Telnet should not be allowed, and only strong encryption and authentication protocols should be supported.

Maintain an inventory of all components in the CDE, including a description of the function or purpose for each.

Go on to Requirement 3 - Data Protection.

Go back to Requirement 1 - Firewalls.