GRCWatch
Sign inStart free trial

PCI DSS 2.2.4: Enable Only Necessary Services

Unnecessary services and protocols create hidden entry points for attackers—even if they're never used. PCI DSS 2.2.4 requires you to disable everything your systems don't absolutely need. This control is foundational to reducing your attack surface and preventing unauthorized access to cardholder data.

What this means

This control mandates a minimalist approach to system configuration. Every service, protocol, daemon, and function running on systems in your cardholder data environment (CDE) must have a documented business or security justification. Anything that isn't essential should be removed or disabled completely. This includes unnecessary network services, unused protocols, background processes, and default functionality that came pre-enabled. The goal is to eliminate potential vulnerabilities before attackers can exploit them.

How to comply

  1. 1.Inventory all services, protocols, daemons, and functions enabled on each system in scope
  2. 2.Document the business or security justification for each enabled service
  3. 3.Identify and list all unnecessary or unused services across your infrastructure
  4. 4.Disable or remove unnecessary services using system configuration tools or vendor guidelines
  5. 5.Verify disabled services remain inactive across system reboots and updates
  6. 6.Establish a change management process for enabling new services
  7. 7.Conduct quarterly reviews to identify newly unnecessary services and disable them
  8. 8.Maintain configuration standards that reflect a 'disable by default' policy

Evidence auditors look for

  • System hardening documentation listing all enabled services with business justification
  • Configuration management records showing disabled services and removal dates
  • Netstat or service enumeration reports documenting active services before and after hardening
  • Change management tickets approving new service enablement with risk assessment
  • Firewall rules limiting access to only necessary ports and protocols
  • Server configuration baselines specifying which services must be disabled
  • Patch management logs showing updates applied without re-enabling unnecessary services
  • Quarterly service audits confirming unnecessary services remain disabled

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates service discovery and tracks which services are enabled across your entire infrastructure, alerting you to unnecessary services and generating compliant evidence automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 2.2.1 - Configuration StandardsPCI DSS 2.2.2 - Configure System Components to Prevent Unnecessary FunctionsPCI DSS 2.2.5 - Remove Unnecessary AccountsPCI DSS 6.2 - Ensure Security Patches Are Installed