PCI DSS 2.2.6: Configure System Security Parameters to Prevent Misuse
PCI DSS 2.2.6 requires organizations to configure system security parameters that prevent unauthorized or improper use of systems handling cardholder data. Misconfigured security settings create vulnerabilities exploited by attackers. This control ensures your systems are hardened against common attack vectors from day one.
What this means
System security parameters include settings like password policies, account lockout thresholds, encryption algorithms, session timeouts, and permission defaults. This control mandates that all configurable security settings be intentionally set to secure defaults that actively prevent misuse—not left at vendor defaults or permissive settings. Organizations must document which parameters are configured and why, ensuring security-by-design rather than security-by-exception.
How to comply
- 1.Identify all systems and devices processing, storing, or transmitting cardholder data and inventory their configurable security parameters
- 2.Define secure baseline configurations for each system type (servers, workstations, network devices, databases) aligned with PCI DSS requirements
- 3.Document required security parameter settings including password complexity, encryption standards, audit logging, and account lockout policies
- 4.Apply hardened configurations to all systems before deployment to production environments
- 5.Implement automated configuration management tools to enforce and monitor security parameters across your infrastructure
- 6.Regularly review and update security parameter configurations to address new threats and organizational changes
- 7.Maintain audit logs showing who configured parameters, when, and what was changed
Evidence auditors look for
- System configuration baselines documented and version-controlled for each system type
- Configuration management database (CMDB) or asset inventory showing applied security parameters
- Automated configuration scanning reports demonstrating compliance with baseline standards
- Password policy documentation enforced via Active Directory or equivalent directory service
- Encryption algorithm configuration on databases, file servers, and network devices
- Session timeout and idle session termination settings configured and logged
- Change logs showing parameter modifications with timestamps and approval records
- Hardening guides and configuration checklists aligned with PCI DSS 2.2.6 requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers your systems' current security parameters, compares them against PCI DSS 2.2.6 baselines, and alerts you to deviations—eliminating manual configuration audits and ensuring security parameters stay hardened across your infrastructure.
See how GRCWatch handles this control automatically
Start free trial