This blog is part of a blog series on the 12 requirements of PCI DSS. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Now we speak about:

 

Requirement 8 of PCI DSS: Identify and authenticate access to systems

 

The possibility of identifying the actions of the people with access to data or critical systems guarantees that each person is responsible for their actions.

Although it is possible to implement authentication systems based on different factors, the most used is user ID and password (factor I), leaving the other authentication factors (2 and 3) as additional protection.

The success of an authentication system implementation, generally based on a password, depends on its design and the security methods for its protection during its transmission and storage.

 

The main challenges and steps that we must consider

 

  1. Management of user identification
    Implement policies and procedures to ensure the proper management of user identification.
  2. Unique ID
    Define a unique ID for all users before allowing them to access system components or cardholder data.
  3. Install a process for changes
    Implement a process to maintain control of new additions, deletions and modifications of access credentials for all user IDs.
  4. Control user ID’s on unemployment
    Cancel all access granted to any unemployed user, immediately.
  5. Control user ID’s on inactive use
    Suspend the users of inactive long-standing employees.
  6. Control third-party access
    Enable and monitor third-party access ONLY when being necessary and for a limited time.
  7. Monitor activities for all user IDs
    Monitor activities for all user IDs, especially those granted to third-parties.
  8. Set up an account lock for failed accesses
    Limit the attempted number of failed accesses through the account lock for a minimum of half an hour or manually unlock.
  9. Set up 2fa
    Implement double authentication factor for administrative accesses that do not console and especially for all remote access.
  10. Use strong encryption
    Use only strong encryption for the transmission and storage of authentication passwords.
  11. Use strong password policies
    Implement a strong password policy to reduce the risk of it not being easy to guess for a malicious person who wishes to use valid user identification.
  12. Prohibit the use of generic users or shared passwords
    This threatens the possibility of univocally identifying the activities of users.
  13. Train staff on security awareness
    The personnel must always know and respect the security policies and the procedures for identification and access authorization. Be creative in training staff frequently and recognize the procedures and policies of secure authentication.

We strongly recommend the implementation of a centralized solution that allows restricting access to the system based on the role. This type of system solution also allows to monitor user activity and implement strong centralized password policies.

 

Like to read more blogs about the PCI DSS requirements? Read about requirement 7 or requirement 6.
Need help to comply with PCI DSS? Our QSAs are here to help. Contact us directly or read more about our approach towards PCI DSS compliance.