IT-7 Standard for Vendor Supplied Defaults and Parameters on Networks Processing Cardholder Data


In this article

Purpose

This document establishes a formal standard for management of default vendor settings and configurations of systems, firewalls, and routers within Cardholder Data Environments (CDE) and outlines the related requirements specified in the Payment Card Industry Data Security Standards (PCI DSS) that must be implemented into all UMD network infrastructures that are processing cardholder data.

Top

Additional authority

The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirement 2.

Top

Scope

This standard applies to all UMD IT elements that are attached to a Cardholder Data Environment (CDE) network. All systems processing cardholder data full Primary Account Number (PAN) or full PAN plus any of the following: cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number (PIN) must only be connected to a designated CDE network.

Top

Standard

System components used in sensitive networks often will come with default vendor settings such as usernames, passwords, and configurations. Default parameters for many systems can be found with a web search. Always change vendor-supplied defaults for system passwords. Carefully consider each default parameter before systems are installed in the CDE.

NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.

Top

Requirements

Top