This blog is part of a blog series on the 12 requirements of PCI DSS. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Now we speak about:
Requirement 8 of PCI DSS: Identify and authenticate access to systems
The possibility of identifying the actions of the people with access to data or critical systems guarantees that each person is responsible for their actions.
Although it is possible to implement authentication systems based on different factors, the most used is user ID and password (factor I), leaving the other authentication factors (2 and 3) as additional protection.
The success of an authentication system implementation, generally based on a password, depends on its design and the security methods for its protection during its transmission and storage.
The main challenges and steps that we must consider
- Management of user identification
Implement policies and procedures to ensure the proper management of user identification.
- Unique ID
Define a unique ID for all users before allowing them to access system components or cardholder data.
- Install a process for changes
Implement a process to maintain control of new additions, deletions and modifications of access credentials for all user IDs.
- Control user ID’s on unemployment
Cancel all access granted to any unemployed user, immediately.
- Control user ID’s on inactive use
Suspend the users of inactive long-standing employees.
- Control third-party access
Enable and monitor third-party access ONLY when being necessary and for a limited time.
- Monitor activities for all user IDs
Monitor activities for all user IDs, especially those granted to third-parties.
- Set up an account lock for failed accesses
Limit the attempted number of failed accesses through the account lock for a minimum of half an hour or manually unlock.
- Set up 2fa
Implement double authentication factor for administrative accesses that do not console and especially for all remote access.
- Use strong encryption
Use only strong encryption for the transmission and storage of authentication passwords.
- Use strong password policies
Implement a strong password policy to reduce the risk of it not being easy to guess for a malicious person who wishes to use valid user identification.
- Prohibit the use of generic users or shared passwords
This threatens the possibility of univocally identifying the activities of users.
- Train staff on security awareness
The personnel must always know and respect the security policies and the procedures for identification and access authorization. Be creative in training staff frequently and recognize the procedures and policies of secure authentication.
We strongly recommend the implementation of a centralized solution that allows restricting access to the system based on the role. This type of system solution also allows to monitor user activity and implement strong centralized password policies.
Need help with PCI DSS implementation? Our QSAs can help out.
Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data
PCI DSS requirement 4: Encryption
PCI DSS requirement 5: Update and Scan
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD
PCI DSS requirement 8: Identify, Authenticate, and Authorize
PCI DSS requirement 9: Restrict physical access to Cardholder data