1. Introduction

Payment Card Industry Data Security Standards (PCI DSS) requirements a formal policy and supporting procedures for the changing of vendor supplied default settings for all system components.

  1. Policy

 

  • Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. Note: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).

 

  • All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol are to be changed before a system is installed on the card holder environment.

 

  • Unnecessary default accounts are removed or disabled before a system is installed on the network.

 

  • Appropriately configure, examine, and confirm system settings and all necessary configurations to ensure that encryption keys are changed from default at installation.

 

  1. Responsibility for Policy Maintenance

PCI Committee – College PCI Committee whose members include the Network and Security Services Manager, Compliance and Information Governance Manager and Head of Treasury Management. (pcidsscom@imperial.ac.uk) are responsible for maintaining the Policy,

 

 

 

 

Changelog:

22 Sep 2017

Anh Duong

First draft of new policy

27 Sep 2017

Saadia Sajid

Review and amendments to draft