Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(2.2.a) Configuration standards must be maintained for applications, network components, critical servers, and wireless access points. These standards must be consistent with industry-accepted hardening standards as defined, for example, by SysAdmin Assessment Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). [2.2.b should be captured in your system configuration standard; 2.2.c and 2.2.3.b should be covered in your procedure for new server set-up]

Configuration standards must include:

• (5.2) updating of anti-virus software and definitions
• (6.1.b) provision for installation of all relevant new security patches within one month
• (8.5.8.b) prohibition of group and shared passwords