1. Introduction

Payment Card Industry Data Security Standards (PCI DSS) requirements a formal policy and supporting procedures for the changing of vendor supplied default settings for all system components.

1. Policy

• Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. Note: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).

• All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol are to be changed before a system is installed on the card holder environment.

• Unnecessary default accounts are removed or disabled before a system is installed on the network.

• Appropriately configure, examine, and confirm system settings and all necessary configurations to ensure that encryption keys are changed from default at installation.

1. Responsibility for Policy Maintenance

PCI Committee – College PCI Committee whose members include the Network and Security Services Manager, Compliance and Information Governance Manager and Head of Treasury Management. (pcidsscom@imperial.ac.uk) are responsible for maintaining the Policy,

Changelog:

22 Sep 2017					Anh Duong	First draft of new policy
27 Sep 2017					Saadia Sajid	Review and amendments to draft