Which requirement states that vendor-supplied defaults for system passwords and other security parameters must not be used?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Data Security Standard Test with our quiz. Use flashcards and multiple-choice questions to learn each concept. Get ready to excel in your examination!

Multiple Choice

Which requirement states that vendor-supplied defaults for system passwords and other security parameters must not be used?

Explanation:
Not using vendor-supplied defaults for system passwords and other security parameters is about configuration hardening. Vendor defaults are widely known and often left in place, creating an easy target for attackers. By changing default passwords, usernames, and other settings to unique, strong values and disabling or removing unused default accounts, you remove common, easily exploitable entry points. This practice directly reduces the risk of unauthorized access and is a stated PCI DSS requirement focused on ensuring systems aren’t shipped with easy-to-guess credentials or insecure defaults. Other options address protecting data in transit, protecting stored data, or controlling access, which are important controls but target different risks. They don’t specifically address the vulnerability posed by leaving vendor defaults in place.

Not using vendor-supplied defaults for system passwords and other security parameters is about configuration hardening. Vendor defaults are widely known and often left in place, creating an easy target for attackers. By changing default passwords, usernames, and other settings to unique, strong values and disabling or removing unused default accounts, you remove common, easily exploitable entry points. This practice directly reduces the risk of unauthorized access and is a stated PCI DSS requirement focused on ensuring systems aren’t shipped with easy-to-guess credentials or insecure defaults.

Other options address protecting data in transit, protecting stored data, or controlling access, which are important controls but target different risks. They don’t specifically address the vulnerability posed by leaving vendor defaults in place.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy