Introduction

Payment Card Industry Data Security Standards (PCI DSS) requires a formal policy and supporting procedures for the changing of vendor supplied default settings for all system components.

Policy

• Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. Note: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).

• All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol) are to be changed before a system is installed on the card holder environment.

• Unnecessary default accounts are removed or disabled before a system is installed on the network.

• Appropriately configure, examine, and confirm system settings and all necessary configurations to ensure that encryption keys are changed from default at installation.

Responsibility for Policy Maintenance

PCI Committee – College PCI Committee whose members include the Chief Information Security Officer, Head of Income and Director of Customer Success. (pcidsscom@imperial.ac.uk) are responsible for maintaining the Policy,