PCI-DSS requirement 2.2 hardening standards


PCI DSS compliance is a requirement for any business that stores, processes, or transmits cardholder data. The PCI-DSS standard has various requirements. Requirement 2.2 poses a fundamental challenge to many organizations managing large server environments as it requires enforcement and management of servers hardening baselines.


Default operating systems and applications configurations are not built for purposes of security; but for ease of deploying a system for ease of use. Such system, when used as supplied, makes your entire infrastructure vulnerable to attacks. Hardening the servers (OS and applications) is a basic requirement in an enterprise security posture. The process of hardening servers involves both IT ops. and security teams and require changes to the default configuration according to industry benchmarks.


PCI-DSS requirement 2.2 guide organizations to: “develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with security accepted system hardening standards.”


Recommended standards are the common used CIS benchmarks or other standards such as:


  • National Institute of Standards and Technology (NIST)
  • International Organization for Standardization (ISO)
  • SysAdmin, Audit, Network, and Security (SANS) Institute

Although finding a baseline and approving it is a relatively easy task, enforcing and managing a baseline such as CIS is labor intensive and error prone for IT teams. Enforcing baseline configuration changes on production servers might create system outages and application malfunction. Configuration changes must be carefully tested in lab environments before deployed in production, and yet after tested, services will break as the ability to simulate the production dependencies in a lab is impossible.


The challenges of managing a hardening process often reflects as IT audit points for lack of configuration hardening and fines from the PCI-DSS council.


PCI-DSS requirement 2.2 in PCI-DSS V3.2:




Easily achieve compliance with PCI-DSS requirement 2.2., Reduce IT administration costs for server hardening tasks and ensure continuous compliance with known hardening standards while avoiding system crashes and outages.

CHS for Microsoft OMS is a baseline hardening solution designed to address the needs of IT operations and security teams. It significantly reduces operational costs and eliminates service downtime by indicating the impact of a security baseline change directly on the production environment saving the need of testing changes in a lab environment.




  • Deploy the required security baseline without affecting the production services.
  • Reduce the costs and resources required for implementing and achieving compliance.
  • Manage the hardening baseline for the entire infrastructure from a single point.
  • Avoid configuration drifts and repeated hardening processes.