2: Apply Secure Configurations to All System Components

Requirement 2.2.2

Vendor default accounts are managed as follows:
  • If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
  • If the vendor default account(s) will not be used, the account is removed or disabled.

IBM® Safer Payments meets this requirement because it is delivered with one default user account and you must change the password at your first login to access the user interface.

Requirement 2.2.5

If any insecure services, protocols, or daemons are present:
  • Business justification is documented.
  • Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.

The following services, protocols, daemons, components, and dependent software and hardware are required and used by IBM Safer Payments:

  • Computer hardware that supports the operating system.
  • Operating system. Refer to System requirements for the list of operating systems that are supported with this IBM Safer Payments release in a PCI DSS compliant environment.
  • IP/http networking secured by TLSv1.2
  • syslog
  • SMTP (optional) secured by TLSv1.2
  • LDAP (optional) secured by TLSv1.2
  • The following libraries are linked statically:
    • openssl-1.1.1n
    • zlib-1.2.11
      • minizip
    • boost_1_70_0
    • bzip2-1.0.8
    • snmp++ 2.6
    • minizip 1.1
    • opencv-4.1.1
    • Itx
    • rapidjson
    • librdkafka-1.3.0
  • The list of dynamically linked libraries can be obtained by running the following command from a shell:
    ldd /usr/bin/iris
  • In case you want to use the ODBC interface in case actions or notifications IBM Safer Payments links the following plug-in dynamically:
    Iris_sql_util.so
  • The plug-in itself might also link other libraries. The list of dynamically linked libraries for the plug-in can be obtained by running the following command from shell:
    ldd iris_sql_util.so
  • In addition, IBM Safer Payments can link IBM MQ client libraries (libmqic.so) and a custom parser implementation (sp_custom_parser.so) at run time, if the shared libraries are deployed on the shared library search path of IBM Safer Payments. Both are not required to run IBM Safer Payments. They are developed and released by independent development teams. Therefore, they are not covered by the PCI DSS certification of IBM Safer Payments.

To comply with this requirement, certain IP communication must be encrypted, and several operating system configuration settings must be made. This is addressed in detail in sections Installation overview and Operational configuration.

To comply with this requirement, you must not use SSD type hard disks, as secure deletion cannot be assured with this technology.

Requirement 2.2.7

All non-console administrative access is encrypted using strong cryptography.

All administrative access to IBM Safer Payments is over the IBM Safer Payments API and natively uses the http or https protocol. To comply with this requirement, all API communication must use the https protocol only, providing strong encryption. This can be achieved with the internal SSL encryption function of IBM Safer Payments. For more information, see Configuring SSL encryption.

To be compliant, you are required to use strong cryptography for non-console administrative access. Use technologies such as SSH2, VPN, or TLSv1.2 (use at least 128-bit encryption strength). Do not use telnet or rlogin for remote access to Safer Payments servers.

Requirement 2.3.1

For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to:

  • Default wireless encryption keys.
  • Passwords on wireless access points.
  • SNMP defaults.
  • Any other security-related wireless vendor defaults.

To ensure compliance, you must verify that

  • Default encryption keys are changed at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions.
  • Default SNMP community strings on wireless devices are changed.
  • Default passwords/passphrases on access points are changed.
  • Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks.
  • Other security-related wireless vendor defaults are changed, if applicable.
  • Firewalls are installed between IBM Safer Payments (and other systems that store Cardholder Data) and wireless networks.
  • Firewalls are configured to deny or control, if such traffic is necessary for business purposes, any traffic from the wireless environment into the Cardholder Data environment.