Skip to page content
Skip to main content
University of Maryland
  • School Colleges & Schools
  • Gift Make A Gift

IT Service Desk

Find solutions and report issues

IT Service Desk

Find solutions and report issues

 DIT Logo
  • Service Catalog
  • Support Articles
  • Get Support
  • My Cases
  • Service Status
  • Live Chat
  • Log in
  • Home
  • Articles(IT Support)
  • IT Compliance
  • IT-7 Standard for Vendor Supplied Defaults and Parameters on Networks Processing Cardholder Data
IT-7 Standard for Vendor Supplied Defaults and Parameters on Networks Processing Cardholder Data -
An updated version of this article is available
KB0013913 -
(Outdated)
  • 4.0 - Updated on 01-31-2024 by Robert Hopkins
  • 3.0 - Updated on 04-27-2023 by Sussan Dehghan-Kavoosi
  • 2.0 - Authored on 07-10-2020 by Sussan Dehghan-Kavoosi

IT-7 Standard for Vendor Supplied Defaults and Parameters on Networks Processing Cardholder Data

Article metadata. Revised by Sussan Dehghan-Kavoosi
This article was updated • 2y ago ago
This article has 1 view. • 1 View This article has average rating: 0 out of 5 stars • ( ) ( ) ( ) ( ) ( )

In this article

  • Purpose
  • Additional authority
  • Scope
  • Standard
  • Requirements

Purpose

This document establishes a formal standard for management of default vendor settings and configurations of systems, firewalls, and routers within Cardholder Data Environments (CDE) and outlines the related requirements specified in the Payment Card Industry Data Security Standards (PCI DSS) that must be implemented into all UMD network infrastructures that are processing cardholder data.

Top

Additional authority

The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirement 2.

Top

Scope

This standard applies to all UMD IT elements that are attached to a Cardholder Data Environment (CDE) network. All systems processing cardholder data full Primary Account Number (PAN) or full PAN plus any of the following: cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number (PIN) must only be connected to a designated CDE network.

Top

Standard

System components used in sensitive networks often will come with default vendor settings such as usernames, passwords, and configurations. Default parameters for many systems can be found with a web search. Always change vendor-supplied defaults for system passwords. Carefully consider each default parameter before systems are installed in the CDE.

NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.

Top

Requirements

  • Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system (e.g. servers, desktops, point-of-sale devices, firewalls, and network devices) on the CDE network. Change default passwords adhering to the USM Security Standards.
  • Develop secure configurations for the systems in the CDE that address known vulnerabilities. Update the configuration as new vulnerabilities are identified. Encrypt all non-console administrative access. Do not use deprecated protocols such as SSL or early versions of TLS.
  • Build and maintain an inventory of system components that are in scope for PCI/DSS.
  • Disseminate security standards and operational procedures to ensure vendor defaults and other security parameters are continuously managed to prevent insecure configurations.
  • Shared hosting environments must protect each entity's hosted environment and data.

Top

Related Articles

No content to display

Division of Information Technology | University of Maryland | 301.405.1500 | itsupport@umd.edu | Web Accessibility | Privacy Notice

© 2024 All rights reserved

DIT on Facebook DIT on Twitter DIT on Instagram