NL +31 (0)20 4232420 / SP +34 937 379 542

This blog is part of a blog series on the 12 requirements of PCI DSS. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Now we speak about:


Requirement 8 of PCI DSS: Identify and authenticate access to systems


The possibility of identifying the actions of the people with access to data or critical systems guarantees that each person is responsible for their actions.

Although it is possible to implement authentication systems based on different factors, the most used is user ID and password (factor I), leaving the other authentication factors (2 and 3) as additional protection.

The success of an authentication system implementation, generally based on a password, depends on its design and the security methods for its protection during its transmission and storage.


The main challenges and steps that we must consider


  1. Management of user identification
    Implement policies and procedures to ensure the proper management of user identification.
  2. Unique ID
    Define a unique ID for all users before allowing them to access system components or cardholder data.
  3. Install a process for changes
    Implement a process to maintain control of new additions, deletions and modifications of access credentials for all user IDs.
  4. Control user ID’s on unemployment
    Cancel all access granted to any unemployed user, immediately.
  5. Control user ID’s on inactive use
    Suspend the users of inactive long-standing employees.
  6. Control third-party access
    Enable and monitor third-party access ONLY when being necessary and for a limited time.
  7. Monitor activities for all user IDs
    Monitor activities for all user IDs, especially those granted to third-parties.
  8. Set up an account lock for failed accesses
    Limit the attempted number of failed accesses through the account lock for a minimum of half an hour or manually unlock.
  9. Set up 2fa
    Implement double authentication factor for administrative accesses that do not console and especially for all remote access.
  10. Use strong encryption
    Use only strong encryption for the transmission and storage of authentication passwords.
  11. Use strong password policies
    Implement a strong password policy to reduce the risk of it not being easy to guess for a malicious person who wishes to use valid user identification.
  12. Prohibit the use of generic users or shared passwords
    This threatens the possibility of univocally identifying the activities of users.
  13. Train staff on security awareness
    The personnel must always know and respect the security policies and the procedures for identification and access authorization. Be creative in training staff frequently and recognize the procedures and policies of secure authentication.

We strongly recommend the implementation of a centralized solution that allows restricting access to the system based on the role. This type of system solution also allows to monitor user activity and implement strong centralized password policies.


Need help with PCI DSS implementation? Our QSAs can help out.

Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data  
PCI DSS requirement 4: Encryption  
PCI DSS requirement 5: Update and Scan 
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD 
PCI DSS requirement 8: Identify, Authenticate, and Authorize  
PCI DSS requirement 9: Restrict physical access to Cardholder data 
PCI DSS requirement 10: Track and monitor all access to network resources and cardholder data