PCI DSS Requirement 8 focuses on identifying and authenticating access to system components. These actions are essential to secure systems.
The access definition helps you hold each user responsible for their actions by identifying each user in your network. Assigning a unique ID to each user lets you know who is doing what specific activities on your systems.
Authentication makes sure that who you think you are is the person accessing the computer. If no security measures are taken at the entry point, passwords and other authentication methods will likely become vulnerable to an attacker during transmission and storage. Identification and verification functions work together to ensure the security of your system’s components.
To protect against unauthorized access to your systems and data, you must apply robust protection methods. PCI DSS Requirement 8 contains access control and password policies and many essential items for employees and third parties to address.
How to Identify and Verify Access to System Components?
System components in PCI DSS requirements refer to internal and external networks, servers, and applications connected to cardholder data. System components can be anything from firewalls to keys and databases.
PCI Requirement 8 requires you to define and verify access to system components. Identifying each user on your system allows you to hold each user responsible for their actions. Assigning a unique ID to each user lets you know who performed what specific actions on your systems.
Authentication ensures that the person accessing your system is who you say it to. If no security measures are taken at the entry point, in transit, and during storage, passwords and other authentication methods will likely be exposed to an attacker. You must safely perform identification and verification actions to protect your system components.
It is necessary to remember that PCI Requirement 8 applies to all accounts, including management-capable point of sale accounts, and applies to all accounts used for displaying cardholder data, accessing cardholder data, or accessing cardholder data systems.
PCI DSS Requirement 8 includes vendors and other third parties’ accounts but does not apply to accounts used by consumers.
However, PCI DSS states that PCI Requirements 8.1.1, 8.2, 8.5, 8.2.3 – 8.2.5, and 8.1.6 – 8.1.8 do not apply to user accounts within a point of sale payment application.
User IDs, passwords, two-factor authentication, policies and procedures, and cryptography are variables that influence PCI Requirement 8, but identification and authentication are the most important acts to note. Remembering to identify and authenticate in every aspect of your access control process matures and secures your system components.
Companies needing PCI Compliance to face some known challenges under requirement 8:
- Multi-Factor Authentication for Administrative Access: PCI requirement 8.3 is a challenge most companies face. The requirement requires you to secure all individual, non-console administrative access and all remote access to the CDE using multi-factor authentication.
- Shared Identities and Generic Identities Should Be Disabled: This requirement can be difficult depending on the organization’s size. However, it is a perfect practice for general security. Create unique, alternative upgraded accounts for each user who needs access level.
- Restrict Database Access That May Contain Cardholder Data: This requirement in 8.7 can be difficult to change if implemented incorrectly before your PCI journey. The PCI requirements in this area are apparent on who will make the access and how. To protect the data in question, make sure that access is done correctly and adequately.
- Documentation: This painful chore is an additional task that someone in your company should have. Security policies and operational procedures should be kept up to date, reviewed, and known to all affected parties.
Provide Individual Responsibility
It is essential to ensure that any user who needs to access your systems has a unique identifier. Thus, there is no disagreement about who is performing a specific task later. The strict application of unique identifiers necessarily prevents the use of group-based or mutual identities for each person.
You will need to maintain full transparency when adding new users, changing existing passwords, or removing or deactivating user accounts that no longer require access. This type of accountability involves the immediate revocation of access for a terminated user, such as an employee who just left your company.
Flexible Access Management
It is good to have a PCI-compliant user access policy, but this policy ensures compliance only in part to comply with PCI DSS. It would be best if you supported the user access policy with an access management program that specifies specific tasks such as:
- Restrict access to data by third parties, such as vendors requiring remote access to services or support systems. Grant access and monitor usage of your system only when these parties need it. Don’t give unlimited access 24/7.
- Lockout users who have made several unsuccessful login attempts for a specified period to prevent password guessing attacks.
- Force login again after a period of inactivity to make the system inaccessible to any user and continue to minimize impersonation risk.
- Apply multi-factor authentication methods for individuals attempting administrative or remote non-console access to the cardholder data set’s device components.
PCI DSS requires a robust authentication method for all access types. The standard also provides various information about the implementation and management of this authentication method. For example, in the case of passwords, to comply with PCI DSS Requirement 8.2, you must do the following:
- Use strong cryptography to make all authentication information such as passwords unreadable on all device components during transmission and storage.
- Identify stringent authentication requirements. All passwords should be updated at least every 90 days as an essential requirement. You must apply at least seven alphanumeric characters for any password. Reuse of past passwords should be prohibited.
- Give each new user a startup password and let them change the password the first time they access your program.
- Prohibit the use of group shared passwords.
After you develop an authentication policy, inform all users of your policy to help them understand and follow the requirements.
Using the Right Frame
While many companies continue to be victims of intrusion attacks, it is clear that securing access to internal information with a traditional username and password is no longer sufficient. Today, companies own digital format data, users and devices used to access them are always connected and vulnerable to a wide variety of attacks.
When users work from within an organization, most of the resources they access are no longer within firewalls’ confines. Many systems are stored in the cloud and provide everyone, both friend and enemy, anywhere and at any time. As criminals successfully reveal their passwords by tricking people, leveraging technologies such as a biometric reader for added security is an excellent way to increase protection.
Since organizations often have to manage and maintain multiple infrastructures, they need to grant a central place to manage all authentication policies.
Multiple authentication infrastructures are not only complicated but also less reliable. What you need for all your devices and methods is a single, two-factor, or multi-factor authentication framework. A robust single sign-on solution is an integral element of easy and secure access by providing access to all applicable services offered by the customer.