PCI Requirement 8
Identify and authenticate access to system components
Welcome to PCI Requirement 8, which focuses on two actions: identify and authenticate. How do you trace the actions of each user in your system? Are your user IDs and passwords secure? How do you know if your users are who they say they are? Does your staff know what to do if they suspect their account is at risk?
Our PCI Requirement 8 videos will show you how to establish a process of identifying and authenticating access into your organization’s systems. Click on a video below to get started with PCI Requirement 8.
PCI Requirement 8: Identify and Authenticate Access to System Components
PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your systems. PCI Requirement 8 states, “Identify and authenticate access to system components.”
PCI Requirement 8.1 – Define and Implement Policies and Procedures to Ensure Proper User Management
PCI Requirement 8.1 focuses on proper user identification management. If there’s no management of users within your system, you’ve lost accountability for the actions that take place within your systems.
PCI Requirement 8.1.2 – Control Addition, Deletion, and Modification of User IDs, Credentials
PCI Requirement 8.1.2 states, “Control addition, deletion, and modification of user IDS, credentials, and other identifier objects.” To meet PCI Requirement 8.1.2, there must be a formal program of control and someone within your organization must be responsible for the addition, deletion, and modification of user IDS and other credentials.
PCI Requirement 8.1.3 – Immediately Revoke Access for Terminated Users
We’ve all heard a horror story of a terminated employee or someone that has left the company discovering their account was left open or active, giving them access to your network, and malicious access to cardholder data occurred. PCI Requirement 8.1.3 seeks to keep situations like these from happening.
PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days
Are User Accounts Actively In Use?
PCI Requirement 8.1.4 calls…
PCI Requirement 8.1.4 calls…
PCI Requirement 8.1.5 – Manage IDs Used by Third Parties to Access, Support, or Maintain System Components via Remote Access
Managing Third-Party Access
PCI Requirement 8.1.5 focuses…
PCI Requirement 8.1.5 focuses…
PCI Requirement 8.1.6 – Limit Repeated Access Attempts by Locking Out User ID After No More Than Six Attempts
Appropriate Account Lockout Mechanisms
PCI Requirement 8.1.6…
PCI Requirement 8.1.6…
PCI Requirement 8.1.7 – Set Lockout Duration to a Minimum of 30 Minutes
Account Lockout Duration
Once a user account is locked…
Account Lockout Duration
Once a user account is locked…
PCI Requirement 8.1.8 – Require Re-Authentication After 15 Minutes of Inactivity
Inactive Sessions
I’m sure you’ve witnessed or heard about…
I’m sure you’ve witnessed or heard about…
PCI Requirement 8.2 – Ensure Proper User-Authentication Management by Something You Know, Something You Have, or Something You Are
Proper User-Authentication Management
PCI Requirement 8.2…
Proper User-Authentication Management
PCI Requirement 8.2…
PCI Requirement 8.2.1 – Use Strong Cryptography to Render All Authentication Credentials Unreadable During Transmission and Storage
Strong Cryptography in Transmission and Storage
PCI Requirements…
PCI Requirements…
PCI Requirement 8.2.2 – Verify User Identity Before Modifying Any Authentication Credential
Preventing Social Engineering
PCI Requirement 8.2.2 states,…
PCI Requirement 8.2.2 states,…
PCI Requirement 8.2.3 – Passwords/Passphrases Must Require a Minimum of Seven Characters and Contain Both Numeric and Alphabetic Characters
Requirements for Password/Passphrase Complexity and Strength
Passwords/passphrases…
Passwords/passphrases…
PCI Requirement 8.2.4 – Change User Passwords/Passphrases at Least Once Every 90 Days
Password/Passphrase Expiration
PCI Requirement 8.2.4 expects…
PCI Requirement 8.2.4 expects…
PCI Requirement 8.2.5 – New Passwords/Passphrases Can’t Be the Same as Any of the Last Four Passwords/Passphrases Used
Effectiveness of Changing Passwords
PCI Requirement 8.2.5…
PCI Requirement 8.2.5…
PCI Requirement 8.2.6 – Set Passwords/Passphrases for First-Time Use and Upon Reset to a Unique Value for Each and Change Immediately After First Use
Unique Value for First-Time Use and Resets
PCI Requirement…
Unique Value for First-Time Use and Resets
PCI Requirement…
PCI Requirement 8.3 – Secure All Individual Non-Console Administrative Access and All Remote Access into CDE Using Multi-Factor Authentication
What is Multi-Factor Authentication?
PCI Requirement 8.3…
What is Multi-Factor Authentication?
PCI Requirement 8.3…
PCI Requirement 8.3.1 – Incorporate Multi-Factor Authentication for All Non-Console Access into CDE for Personnel with Administrative Access
Multi-Factor Authentication and Administrative Access
PCI…
PCI…
PCI Requirement 8.3.2 – Incorporate Multi-Factor Authentication for all Remote Network Access
Remote Network Access and Multi-Factor Authentication
PCI…
PCI…
PCI Requirement 8.4 – Document and Communicate Authentication Policies and Procedures to All Users
Authentication Policies and Procedures
Every single PCI DSS…
Every single PCI DSS…
PCI Requirement 8.5 – Do Not Use Group, Shared, or Generic IDs, Passwords, or Other Authentication Methods
Do Not Use Group, Shared, or Generic Authentication Methods
PCI…
Do Not Use Group, Shared, or Generic Authentication Methods
PCI…
PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only:
Service Providers with Remote Access to Customer Premises Must…
PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism
Do Not Share Authentication Mechanisms
If your organization…
If your organization…
PCI Requirement 8.7 – Restrict All Access to Any Database Containing Cardholder Data
Database Access
PCI Requirement 8.7 requires that you restrict…
Database Access
PCI Requirement 8.7 requires that you restrict…
PCI Requirement 8.8 – Ensure Policies and Procedures for Identification and Authentication are Documented, in Use, and Known to All Affected Parties
Identification and Authentication Policies and Procedures
PCI…
Identification and Authentication Policies and Procedures
PCI…
