| ๐ผ 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. | 1 | | 2 | |
| ย ย ย ย ๐ผ 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. | | | | |
| ๐ผ 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. | 5 | | 2 | |
| ย ย ย ย ๐ผ 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. | | | | |
| ย ย ย ย ๐ผ 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system. | | | | |
| ย ย ย ย ๐ผ 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure. | | 3 | 3 | |
| ย ย ย ย ๐ผ 2.2.4 Configure system security parameters to prevent misuse. | | | 1 | |
| ย ย ย ย ๐ผ 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. | | | | |
| ๐ผ 2.3 Encrypt all non-console administrative access using strong cryptography. | | 3 | 4 | |
| ๐ผ 2.4 Maintain an inventory of system components that are in scope for PCI DSS. | | | | |
| ๐ผ 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. | | | | |
| ๐ผ 2.6 Shared hosting providers must protect each entity's hosted environment and cardholder data. | | | | |