PCI (Payment Card Industry Security Standard)_Req 2.6

PCI (Payment Card Industry Security Standard)

Do not use vendor-supplied defaults for system passwords and other security measures

Req 2.6

2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in appendix A1: additional PCI DSS requirements for shared hosting providers.

This is intended for hosting providers that provide shared hosting environments for multiple clients on the same server. When all data is on the same server and under control of a single environment often the settings on these shared servers are not manageable by individual clients. This allows clients to add insecure functions and scripts that impact the security of all other client environments; and thereby make it easy for a malicious individual to compromise one client’s data and thereby gain access to all other clients’ data. See Appendix A1 for details of requirements. Protect Cardholder DataRequirement 3: Protect stored cardholder data Protection methods such as encryption truncation masking and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data without the proper cryptographic keys the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example methods for minimizing risk include not storing cardholder data unless absolutely necessary truncating cardholder data if full PAN is not needed and not sending unprotected PANs using end-user messaging technologies such as e-mail and instant messaging. Please refer to the PCI DSS and PA-DSS Glossary of Terms Abbreviations and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video