How Can I Authenticate Access to System Components (PCI DSS Requirement 8)?
Strong security is essential for protecting your systems and data from unauthorized access. Requirement 8 of the PCI DSS contains many elements that you need to address in your access control and password policies for staff members and third parties alike.
Ensuring individual accountability
It’s important to ensure that every user (internal or external) who needs access to your systems has a unique identifier so that no dispute occurs later about who performed a particular task. (For details on handling nonrepudiation, for example, see PCI DSS Requirement 8.1.) Strict enforcement of unique identifiers for each user inherently prevents the use of group-based or shared identities (see PCI DSS Requirements 8.1.5 and 8.5).
You also need to ensure full accountability whenever new users are added, existing credentials are modified, or the accounts of users who no longer need access are deleted or disabled. This accountability includes revoking access immediately for a terminated user, such as an employee who has just left your company (see PCI DSS Requirements 7.1.4 and 8.1.2).
Making access management flexible
Having a compliant user access policy is all well and good, but that policy takes you only part of the way to compliance with the PCI DSS. You’re required to underpin your user access policy with an access management system that spells out various tasks, such as the following:
- Restricting data access by third parties (such as vendors that require remote access to service or support your systems). Grant access only when those parties need it, and monitor their use of your system. Never offer unrestricted 24/7 access.
- Locking out users who make multiple unsuccessful login attempts over a specified period (to make automated password attacks more difficult).
- Making the system unavailable to any user after a specified period of inactivity and requiring a repeat login to continue (to minimize the risk of impersonation).
- Enforcing multifactor authentication methods (normally, tokens or smart cards) for people who attempt non-console administrative or remote access to cardholder-data-environment system components. This enhanced security approach raises the bar for attackers.
Beefing up authentication
For all types of access, the standard expects a strong authentication system. The standard also provides details on implementing and managing this authentication system. In the case of passwords, for example, PCI DSS Requirement 8.2 directs you to do the following:
- Use strong cryptography to render all authentication credentials (such as passwords or passphrases) unreadable during transmission and storage on all system components, thereby devaluing data where it’s most vulnerable to an insider attack.
- Set strict conditions for passwords. As a fundamental requirement, all passwords must be changed every 90 days as a minimum. You must enforce a minimum of seven alphanumeric characters for any given password. The reuse of previous passwords must be prohibited.
- Supply an initial password to each new user, and require her to change that password the first time she accesses your system.
- prohibit group shared passwords.
After you establish an authentication policy, provide it to all users to help them understand and follow the requirements.
Note: This material is drawn from PCI Compliance & Data Protection for Dummies, Thales Limited Edition, by Ian Hermon and Peter Spier.