Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(2.2.a) Configuration standards must be maintained for applications, network components, critical servers, and wireless access points.  These standards must be consistent with industry-accepted hardening standards as defined, for example, by SysAdmin Assessment Network Security Network (SANS), National Institute of Standards Technology (NIST),  International Organization for Standardization (ISO), and Center for Internet Security (CIS).  [2.2.b should be captured in your system configuration standard; 2.2.c and 2.2.3.b should be covered in your procedure for new server set-up]

Configuration standards must include:

  • (5.2) updating of anti-virus software and definitions, perfom periodic scans, and generate audit logs
  • (6.1.a) identify new security vulnerabilities and assigns risking rankings that identifies all “high risk” and “critical” vulnerabilities based on reputable outside sources.
  • (6.2.a) provision for installation of all relevant new security patches within 30 days, and all vendor supplied security patches within an appropriate time frame.
  • (8.6.a) authentication mechanisms are assigned to individual accounts and are not shared, and physical and/or logical controls ensure only the attend account can gain access.