What Is PCI System Hardening?

If you’re a merchant that handles card payment data, you must maintain PCI DSS compliance. This compliance regulation is necessary to help protect cardholders’ sensitive payment data from card fraud and theft. This article will discuss the PCI DSS Requirement 2.2, one of the strictest regulations regarding payment security.  

What Is PCI Compliance? 

Before diving into PCI system hardening, let’s briefly review PCI compliance. Any organization that processes, stores, or transmits cardholder data is subject to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is an industry-standard established to secure cardholder data and is necessary for businesses that want to use cards from the major card brands – Visa inc., MasterCard Worldwide, Discover Financial Services, American Express, and JCB International. The PCI DSS has 12 requirements, including over 300 security checks in total. These 12 requirements fall under 6 main categories necessary to achieve PCI compliance.

• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor Test Networks
• Maintain an Information Security Policy  

PCI and System Hardening 

PCI DSS Requirement 2.2 is a complex and challenging regulation for organizations to maintain because it involves system hardening. System hardening ensures system elements are strengthened as much as possible before joining a network. This approach helps protect businesses by mitigating vulnerabilities in applications, systems, and information technology infrastructure. Typically, default operating systems and application configurations are built to be easy to use and deploy rather than for security purposes. Therefore, these systems can expose an organization’s infrastructure to security vulnerabilities, such as malicious attacks. Indeed, system hardening can help organizations reduce malicious attack opportunities by removing unnecessary applications, programs, and access points that can jeopardize their internal system’s security postures and expose sensitive data. Further, PCI DSS Requirement 2.2 covers configuration settings, passwords, and system hardening crucial to meeting this compliance standard.  

Under Requirement 2.2, the PCI DSS states that merchants must “address all known security vulnerabilities and [be] consistent with industry-accepted system hardening standards.” The following organizations have published specific guidelines to help businesses fix security weaknesses per common industry-accepted standards. 

• Center for Internet Security (CIS) 
• International Organization for Standardization (ISO) 
• SysAdmin, Audit, Network, and Security (SANS) Institute 
• National Institute of Standards and Technology (NIST) 

 

Merchants can find additional research to assist with system hardening: 

• Information Assurance Support Environment 
• VMware environments  

How to Do System Hardening 

When a business introduces a new application, appliance, system, or device, it’s recommended that system hardening is implemented. System hardening is a key process that will remove unnecessary functionality and securely configure critical systems. After a system is hardened and introduced to an environment, organizations need to maintain this level of security by regularly updating or fixing identified vulnerabilities and weaknesses. It’s important for new patches or software versions to be added to the existing hardening process. Thus, old vulnerabilities are not reintroduced into an organization’s environment, posing a security risk.  

Four Steps to Achieve PCI Requirement 2.2 Compliance 

There are four key steps to comply with PCI DSS Requirement 2.2. Since this process is complex, it can help compare it to building and protecting a house. Just like it takes careful planning to protect a home from the outside (e.g., with fences, locks, and cameras), it’s essential to protect the house by building a solid foundation (e.g., bricks, siding, roofs, and doors). Similarly, system hardening is making new applications, systems, and other devices as strong as possible. 

Some organizations believe simple security measures like firewalls and data security layers are sufficient to protect systems and meet system-hardening compliance requirements. However, system hardening is more about locking, protecting, and strengthening system components instead of adding new security software layers and hardware.  

1. Systems Are Not Safe Out of the Box 

Most systems and devices are not fully secure out of the box. For example, Windows, Linux, and other operating systems are not pre-hardened. Thus, organizations must prioritize keeping their systems and devices secure. Unfortunately, many system administrators view system hardening as a chore that businesses can do instead. On the other hand, most merchants believe it is the vendor’s job to harden their systems. While some vendors may take care of system hardening, it may not meet the strict compliance requirements if they are unfamiliar with PCI DSS. 

To avoid confusion and introduce compliance scope, businesses should not rely on a point of sale (POS) company to fully secure a system or device out of the box. Indeed, the PCI Council recommends that merchants hire a PCI DSS Qualified Integrated Reseller (QIR) who has the training and expertise to implement PCI DSS standards, including system hardening. 

2. Research and Seek Help With System Hardening 

Just like homebuilding should be left to the experts, it’s a good idea for businesses to seek help with hardening their systems. An expert QIR has the knowledge and certifications to follow industry-accepted guidelines when hardening systems and identify and address common security holes found in operating systems and environments to be integrated. These security guidelines are necessary to secure an organization’s systems from cyberattacks.  

 

Specifically, these industry guidelines will list: 

• Configurations to harden specific system components 
• Online resources to learn about vulnerabilities 
• Procedures to remediate vulnerabilities 
• Vulnerability descriptions 

Aside from receiving expert help, merchants will need to research their organization’s specific security needs. This is a critical step because every system environment is unique regarding which operating system versions, web servers, and applications will be used and how often these systems need to be updated or replaced. While it would be ideal to have a simple document to reference, it will take time for businesses to research and determine what their environments’ system hardening needs are, how to apply hardening guidelines to their existing security layers, and how to comply with PCI DSS Requirement 2.2. 

3. Implement System Hardening 

Like building a home, system hardening requires time, strategy, tweaking, and regular maintenance. Depending on the organization’s environment, certain guidelines may need to be followed: 

• Disable specific device ports 
• Remove an OS feature 
• Start or discontinue a service
• Uninstall software 

It’s important to note that these guidelines may involve changing or disabling default settings or even removing unnecessary features or applications. This is a part of the hardening process and helps prevent sensitive data and systems from being compromised. For example, older HP computers used to come preinstalled with customer service software that automatically reported user activity back to HP. Indeed, this created security vulnerabilities, which is why this type of software was recommended to be uninstalled from HP computers. Furthermore, testing is another key step during system hardening to ensure critical business operations and services are not compromised.  

 

Specific PCI DSS Requirement 2.2 Controls to Follow

 

• Ensure that servers do not have more than one function:
  PCI DSS Requirement 2.2 states that servers must not have more than one primary role. Having one function per server is to prevent vulnerabilities across an entire server. For example, if one layer of security becomes compromised, the other functions on the same server become vulnerable.

  Additionally, if server functions requiring different security levels are on the same server, higher security levels will be reduced due to being exposed to fewer security functions. Indeed, organizations must ensure that functions requiring different security needs do not exist on the same server layer.  

• Remove unnecessary services and features from your organization’s systems:
  PCI DSS Requirement 2.2 also requires merchants to remove all unnecessary services and server functionality, which will help prevent cyberattacks. By only enabling services, features, and applications needed to operate systems, this reduces the likelihood that hackers can exploit security loopholes and gain access to private networks. Furthermore, this makes it easier for businesses to focus on securing essential system functions.

  While it may seem like the PCI QSA should determine what is necessary or what is not, it’s the organization’s responsibility. It’s recommended that businesses choose unnecessary functionality by taking a sample of system elements and comparing them to their current configuration and hardening standards.  

• Update default passwords and configuration settings:
  As mentioned before, systems are not safe out of the box. For example, firewalls, routers, and POS systems typically are set up with vendors’ default usernames and passwords. These factory settings ensure that every model has the same username and password. Unfortunately, these default configuration settings are well known within the hacker community and a quick online search. Thus, organizations must update or disable these vendor default settings to protect their sensitive data from unauthorized access.  

4. Keep a Record of Hardened Systems 

When updating a house, it’s essential to reference the associated blueprint to determine the most efficient way to make changes. Without that blueprint, there are potential risks of damaging something. This is also true for system hardening, which should always be documented to keep an updated record of current hardening standards, the reasons why standards are chosen, and completed hardening checklists.  

Why Documentation Is Important: 

• PCI auditors will need proof that an organization has achieved PCI DSS Requirement 2.2, such as documentation of research and configuration settings enabled for systems.  
• When a new system administrator is hired, documentation is crucial to reference how system hardening is implemented and what needs to be maintained. 
• If an organization needs to modify its existing systems, having records handy will save countless hours of research, which is something every business can appreciate.  

How to Be PCI Compliant 

In addition to Requirement 2.2, merchants that accept, process, or transmit cardholder data must meet PCI compliance. Without this compliance, organizations can be subject to steep fines and potentially lose their merchant accounts needed to accept card payment methods. We hope this article helped you better understand PCI system hardening and why it’s necessary to protect your organization’s systems from cyberattacks. If you are interested in learning more about system hardening or PCI compliance, contact TokenEx today, the leading cloud-based tokenization platform in Oklahoma.