PCI DSS 1.2.6: Securing Risky Services and Protocols
Risky services and protocols create unnecessary vulnerabilities in your payment card environment. PCI DSS 1.2.6 requires you to document all services, protocols, and ports—then implement security features for anything deemed risky. This control prevents attackers from exploiting insecure communication channels that handle cardholder data.
What this means
Your organization must identify all services, protocols, and ports in use across your infrastructure. For those classified as risky (such as telnet, HTTP, FTP, or older SSL/TLS versions), you must implement compensating security controls. This includes encryption, strong authentication, network segmentation, or disabling the service entirely if it's unnecessary. The goal is to eliminate or significantly reduce the attack surface created by outdated or inherently insecure technologies.
How to comply
- 1.Conduct a comprehensive inventory of all services, protocols, and ports currently running on systems in your cardholder data environment (CDE)
- 2.Document each service with its business justification, protocol version, and current security features
- 3.Classify services and protocols as either necessary or risky based on PCI DSS guidelines and industry standards
- 4.For risky services: implement encryption (TLS 1.2+), disable unnecessary ports, restrict access via firewall rules, or decommission the service if not required
- 5.Apply compensating controls such as IP whitelisting, VPN access requirements, or network segmentation for services that cannot be immediately disabled
- 6.Configure systems to use only secure protocol versions (e.g., disable SSLv3, TLSv1.0, TLSv1.1)
- 7.Document all security features implemented for each risky service
- 8.Review and validate controls quarterly; remove or update deprecated services from your inventory
Evidence auditors look for
- Network inventory documentation listing all active services, protocols, and ports with justifications
- Risk assessment report classifying services as risky or necessary
- Firewall rules restricting access to risky protocols or ports
- TLS configuration documentation showing minimum version 1.2+ in use
- Encryption certificates and configuration files for encrypted protocols
- Change management tickets or system hardening logs documenting protocol upgrades or service decommissioning
- Service accounts and authentication logs demonstrating strong authentication for risky services
- Network segmentation diagrams isolating systems using legacy or risky protocols
- Quarterly service and protocol review records with risk assessment updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates service and protocol inventory discovery across your infrastructure, flags risky services against PCI DSS standards, and tracks compensating control documentation—eliminating manual audits and reducing compliance gaps.
See how GRCWatch handles this control automatically
Start free trial