Part 2: Road Map to PCI

Build and Maintain a Secure Network

Last month we looked at the first area of focus for meeting the requirements of the PCI Data Security Standards: Building and Maintaining a Secure Network. We learned that the first requirement in order to Build and Maintain a Secure Network is to Install and Maintain a Firewall.

This month we take a look at the second requirement to Building and Maintaining a Secure Network: Changing vendor-supplied defaults for system passwords and other security parameters.

Password Strength

In the past when we have spoken about passwords, we have generally given tips on ways to construct a stronger password for user names in various applications you may use. Recent studies show that over 10% of passwords used are in The top 25 Most Commonly Used Passwords, which for three years running has been topped by the password of “password.”

Clearly using strong passwords is important, and as such you have probably seen many of your favorite applications begin to require use of special characters, numbers, as well as a mix of upper and lower case letters.

Using a password management tool such as 1Password is a great way to store your login credentials, and it can even generate and save passwords for you! When using a password management tool, you only need to remember your password to the application. Once you have logged in, all of your login credentials are available for you.

Default Passwords

Password security goes beyond just using strong passwords, and an often-overlooked aspect of password security is to update vendor supplied default passwords.  This means, for example, that if you are setting up wireless internet access you would want to change the default password that your Internet Service Provider has given you or programmed in by default.

Anytime a password is set for you, and you have not created it yourself, make sure that it is changed. Updating these passwords is important. Continuing to use default passwords provides an easier target for someone looking to compromise networks, as they are often aware of common defaults used.

Additional Security Parameters

Other security parameters are important as well, and the PCI Council also wants you to look at these. For instance, if someone logs in to his or her work computer from home or if you have tech support log into your machine, you are allowing remote access into your work computers/network.

If remote access to your network is allowed, make sure that the person responsible for your network and its security inspects the settings used for this access. Making sure that remote access is encrypted and secure, especially at the point where passwords are entered to gain access, is critical.

Ensuring that you follow the best practices outlined above, as well as those contained within last month’s article on Installing and Maintaining a Firewall, will help ensure that you have built and are continuing to maintain a secure network.

This brings us to a close of the first of the 6 areas of focus that the PCI Council has created, Build and Maintain a Secure Network. Next month we will shift our attention to the second focus of the PCI Data Security Standards, Protect Cardholder Data.

As always, if you have any questions about PCI or the best practices contained in our Road Map to PCI Compliance series please give us a call or send us an email.

Previous Posts:
Installing and Maintaining a Firewall

If you have other questions or topics about PCI security that you would like to see covered on our blog, let us know! You can email us at to share your thoughts or questions which we may then address here on our blog!