Category: PCI DSS Requirement 2
Apply Secure Configurations to All System Components
Systems are frequently compromised by malicious individuals, both internal and external to an organization, who make use of vendor default settings and passwords. These settings and passwords are well-known and straightforward to ascertain from public OSINT data.
By configuring system components in secure ways, attackers have fewer options to successfully attack systems. Entities undergoing PCI DSS compliance should reduce their attack surface by changing default passwords, removing unnecessary software, accounts, and functions, and disabling or removing unnecessary services. It may be obvious but should be stated that the external attack surface should be clearly understood and monitored continuously.