PCI DSS 2.2.2: Managing Vendor Default Accounts
Vendor default accounts are a critical security weak point—attackers actively exploit them because credentials are publicly known. PCI DSS 2.2.2 requires you to change, disable, or remove these accounts before any system connects to your network. Failing to do so puts cardholder data at immediate risk.
What this means
This control addresses the practice of vendors shipping systems with pre-configured default accounts (e.g., admin/admin or root credentials). These accounts must be eliminated before deployment because they are widely documented and easily exploited. Compliance means establishing a formal process to identify, document, and remediate all vendor defaults on every system connected to your cardholder data environment.
How to comply
- 1.Document all vendor default accounts for every system deployed in your environment
- 2.Change default passwords to strong, unique credentials before network connectivity
- 3.Disable vendor default accounts if the system allows operation without them
- 4.Remove default accounts entirely where removal is supported
- 5.Test system functionality after credential changes to ensure no service disruption
- 6.Maintain an inventory of which defaults were changed, disabled, or removed per system
- 7.Establish a pre-deployment checklist requiring vendor default remediation sign-off
Evidence auditors look for
- Asset inventory listing all systems with vendor default account remediation status
- Network access logs showing disabled or changed default account authentication attempts
- System configuration documentation proving password changes before deployment
- Pre-deployment security checklist signed by authorized personnel
- Vendor documentation confirming account removal or disablement
- Change management tickets recording default account modifications
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vendor default account tracking by maintaining a system inventory with compliance status flags, alerting you when new systems are deployed without documented default account remediation.
See how GRCWatch handles this control automatically
Start free trial