PCI (Payment Card Industry Security Standard)
Do not use vendor-supplied defaults for system passwords and other security measures
Test 2.6
2.6 Perform testing procedures A1.1 through A1.4 detailed in appendix A1: additional PCI DSS requirements for shared hosting providers for PCI DSS assessments of shared hosting providers to verify that shared hosting providers protect their entities’ (merchants and service providers) hosted environment and data.
This is intended for hosting providers that provide shared hosting environments for multiple clients on the same server. When all data is on the same server and under control of a single environment often the settings on these shared servers are not manageable by individual clients. This allows clients to add insecure functions and scripts that impact the security of all other client environments; and thereby make it easy for a malicious individual to compromise one client’s data and thereby gain access to all other clients’ data. See Appendix A1 for details of requirements. Protect Cardholder DataRequirement 3: Protect stored cardholder data Protection methods such as encryption truncation masking and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data without the proper cryptographic keys the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example methods for minimizing risk include not storing cardholder data unless absolutely necessary truncating cardholder data if full PAN is not needed and not sending unprotected PANs using end-user messaging technologies such as e-mail and instant messaging. Please refer to the PCI DSS and PA-DSS Glossary of Terms Abbreviations and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!