PCI Requirement 8 - Identify, Authenticate, and Authorize!!

This is the eighth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process.  To view the previous blog posts in this series, please follow the links below:

PCI Requirement 1 - Defending the Wall

PCI Requirement 2 - Change Your Defaults!

PCI Requirement 3 - Don't Store Cardholder Data!

PCI Requirement 4 - Hide in Plain Sight!

PCI Requirement 5 - Update and Scan

PCI Requirement 6 - Patches and Scanning and Coding, Oh My!!

PCI Requirement 7 - Thou Shall Not Pass!

PCI requirement 8: Identify and authenticate access to system components

Requirement 8 builds on the access control portion of your PCI program. This requirement will put some configuration requirements into your access control in and around passwords and administrator access to the CDE. In my humble opinion, the requirements in Requirement 8 for passwords are a bit dated and “soft” when you compare them with basic services we use daily like Gmail or Dropbox. Requirement 8 also incorporates multi-factor authentication into the areas where administrative and non-console remote access is needed. Multi-factor authentication is something I recommend in general for good IT Security practices, as it helps alleviate some of the soft perceptions this requirement has in areas. However, for User ID and Passwords, here are some of the parameter highlights in PCI requirement 8:

• Every user must have own unique ID
• Upon termination the ID must be revoked immediately (there are other controls in place that can support this action)
• Minimum password length of 7 characters (weak in IT security)
• Passwords must contain letters and numbers (weak in IT security)
• Lockout access after 6 unsuccessful attempts and keep locked for 30 minutes or when admin unlocks
• Idle sessions must timeout in 15 minutes or less
• New passwords must be different than the last 4 used and are to reset every 90 days (allows for about a year of password recycling, a bit soft nowadays)

Requirement 8 really buttons down the configuration of passwords and ID’s to access your CDE. These seem very straightforward and are not hard to implement in a Windows and Linux environment. There are many more details not highlighted here, a read through the entire requirement with a QSA can really help identify your weak areas. However, like most requirements there are some challenges companies face.

Companies that require PCI Compliance face some familiar challenges within requirement 8:

1. Multi-factor Authentication for Administrative Access!! – PCI requirement 8.3 specifically is a challenge most companies face. The requirement requires that you secure all individual, non-console administrative access and all remote access to the CDE using multi-factor authentication. This can be accomplished a bit easier with various technologies available, but there is a cost and an administrative task associated to this.
2. Shared ID’s and Generic ID’s Should be Disabled - This can be difficult depending on the size of the organization, but it’s a very good practice in general security. Take this access away and create alternate elevated accounts unique for each user needing that level of access.
3. Restricting Database Access that may Contain Cardholder Data - This requirement in 8.7 can be difficult to change if implemented incorrectly prior to your PCI journey. PCI requirements in this area are very clear on who and how to do this. Ensure this is done correctly to protect that data.
4. Documentation - This painful chore is just one additional task someone must own in your company. Security policies and operational procedures must be kept up to date and reviewed and known to all affected parties. Not the most glamorous task but an essential one.

Compass is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with all the PCI requirements that are in scope, based on your business model.

These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!