One of the more commonly misunderstood requirements of the Payment Card Industry Data Security Standard (PCI DSS) is configuration standards, specifically addressed in requirement 2.2.1. PCI standards help safeguard sensitive customer information.
The requirement shows that component “hardening” is just one part of the broader topic of configuration standards. The goal isn’t just hardening—it’s helping ensure consistency in how system components are configured to reduce the risk of missing something. To meet this requirement, organizations must provide documented configuration standards.
Common Misconceptions
There are a couple of common misconceptions seen during PCI assessments. First, some believe that a system installation image alone can serve as the configuration standard for that system type. This isn’t accurate because it assumes the image was created without a documented, management-approved standard. For example, when a new operating system is released, someone must install it and decide how it should be configured before creating the image. That decision-making process is what forms the configuration standard, which must be documented and approved.
Second, some think that simply providing downloaded copies of industry-accepted hardening standards—like the Center for Internet Security (CIS) benchmarks—is enough to meet the PCI requirement. This is incorrect, as those benchmarks are not configuration standards and aren’t tailored to the specific organization being assessed.
Key Goal of Requirement
As mentioned earlier, the key goal of this requirement is consistency. Without it, hardening efforts will be inconsistent and poorly implemented. With proper configuration standards, organizations have clear guidance on how to configure their devices. When hardening is part of these standards, it’s more likely to be applied consistently across all components.
In cases of device failure that requires a full rebuild or replacement, documented standards help ensure the new device is configured the same as the original. Without them, settings may be missed or forgotten, creating security gaps.
These standards must be submitted during a PCI assessment. Assessors use them to compare approved settings with the actual configurations of the components being assessed. They check whether each device’s configuration matches its documented standard. Even if a setting meets PCI DSS requirements, if it doesn’t match the configuration standard, it could still result in a compliance gap. That’s because PCI DSS expects configurations to both adhere to the requirements and align with the organization’s documented standards—consistently applied across all devices.
Considerations for Configuration Standards
To meet the configuration standards requirement, consider the following:
- Documented configuration standards are required for all in-scope system components, not just servers and workstations. This includes network security devices like routers, switches, and firewalls, as well as databases, e.g., SQL or Oracle, hypervisors, load balancers, and more.
- Standards should address known security vulnerabilities for each component. As new vulnerabilities emerge, documentation should be updated to reflect necessary changes.
- Each standard must include security hardening based on an industry-accepted benchmark. If no such benchmark exists, use the manufacturer’s hardening guidance.
- Organizations should have a process to make sure new components meet the documented standard before being deployed in production.
- Standards should cover sub-requirements under 2.2.x and other relevant PCI DSS requirements for each component type—such as anti-malware installation, password and session timeouts, log server settings, and time synchronization. If these settings aren’t documented, they may be misconfigured, and assessors won’t have the evidence needed to verify them.
- If compliance gaps are found during an assessment, it often means configuration standards are either incomplete or not properly followed.
How Forvis Mazars Can Help
Professionals at Forvis Mazars can assist with PCI compliance programs and other IT Risk & Compliance concerns. If you have any questions or need assistance with configuration standards, please contact us.