PCI Requirement 8

PCI Requirement 8

Identify and authenticate access to system components

Welcome to PCI Requirement 8, which focuses on two actions: identify and authenticate. How do you trace the actions of each user in your system? Are your user IDs and passwords secure? How do you know if your users are who they say they are? Does your staff know what to do if they suspect their account is at risk?

Our PCI Requirement 8 videos will show you how to establish a process of identifying and authenticating access into your organization’s systems. Click on a video below to get started with PCI Requirement 8.

PCI Requirement 8: Identify and Authenticate Access to System Components

PCI Requirement 8: Identify and Authenticate Access to System Components

PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your systems. PCI Requirement 8 states, “Identify and authenticate access to system components.”
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1 – Define and Implement Policies and Procedures to Ensure Proper User Management

PCI Requirement 8.1 – Define and Implement Policies and Procedures to Ensure Proper User Management

PCI Requirement 8.1 focuses on proper user identification management. If there’s no management of users within your system, you’ve lost accountability for the actions that take place within your systems.
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1.2 – Control Addition, Deletion, and Modification of User IDs, Credentials

PCI Requirement 8.1.2 – Control Addition, Deletion, and Modification of User IDs, Credentials

PCI Requirement 8.1.2 states, “Control addition, deletion, and modification of user IDS, credentials, and other identifier objects.” To meet PCI Requirement 8.1.2, there must be a formal program of control and someone within your organization must be responsible for the addition, deletion, and modification of user IDS and other credentials.
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1.3 – Immediately Revoke Access for Terminated Users

PCI Requirement 8.1.3 – Immediately Revoke Access for Terminated Users

We’ve all heard a horror story of a terminated employee or someone that has left the company discovering their account was left open or active, giving them access to your network, and malicious access to cardholder data occurred. PCI Requirement 8.1.3 seeks to keep situations like these from happening.
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

Are User Accounts Actively In Use?
PCI Requirement 8.1.4 calls…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1.5 – Manage IDs Used by Third Parties to Access, Support, or Maintain System Components via Remote Access

PCI Requirement 8.1.5 – Manage IDs Used by Third Parties to Access, Support, or Maintain System Components via Remote Access

Managing Third-Party Access
PCI Requirement 8.1.5 focuses…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1.6 – Limit Repeated Access Attempts by Locking Out User ID After No More Than Six Attempts

PCI Requirement 8.1.6 – Limit Repeated Access Attempts by Locking Out User ID After No More Than Six Attempts

Appropriate Account Lockout Mechanisms
PCI Requirement 8.1.6…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1.7 – Set Lockout Duration to a Minimum of 30 Minutes

PCI Requirement 8.1.7 – Set Lockout Duration to a Minimum of 30 Minutes


Account Lockout Duration
Once a user account is locked…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.1.8 – Require Re-Authentication After 15 Minutes of Inactivity

PCI Requirement 8.1.8 – Require Re-Authentication After 15 Minutes of Inactivity

Inactive Sessions
I’m sure you’ve witnessed or heard about…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.2 – Ensure Proper User-Authentication Management by Something You Know, Something You Have, or Something You Are

PCI Requirement 8.2 – Ensure Proper User-Authentication Management by Something You Know, Something You Have, or Something You Are


Proper User-Authentication Management
PCI Requirement 8.2…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.2.1 – Use Strong Cryptography to Render All Authentication Credentials Unreadable During Transmission and Storage

PCI Requirement 8.2.1 – Use Strong Cryptography to Render All Authentication Credentials Unreadable During Transmission and Storage

Strong Cryptography in Transmission and Storage
PCI Requirements…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.2.2 – Verify User Identity Before Modifying Any Authentication Credential

PCI Requirement 8.2.2 – Verify User Identity Before Modifying Any Authentication Credential

Preventing Social Engineering
PCI Requirement 8.2.2 states,…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.2.3 – Passwords/Passphrases Must Require a Minimum of Seven Characters and Contain Both Numeric and Alphabetic Characters

PCI Requirement 8.2.3 – Passwords/Passphrases Must Require a Minimum of Seven Characters and Contain Both Numeric and Alphabetic Characters

Requirements for Password/Passphrase Complexity and Strength
Passwords/passphrases…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.2.4 – Change User Passwords/Passphrases at Least Once Every 90 Days

PCI Requirement 8.2.4 – Change User Passwords/Passphrases at Least Once Every 90 Days

Password/Passphrase Expiration
PCI Requirement 8.2.4 expects…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.2.5 – New Passwords/Passphrases Can’t Be the Same as Any of the Last Four Passwords/Passphrases Used

PCI Requirement 8.2.5 – New Passwords/Passphrases Can’t Be the Same as Any of the Last Four Passwords/Passphrases Used

Effectiveness of Changing Passwords
PCI Requirement 8.2.5…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.2.6 – Set Passwords/Passphrases for First-Time Use and Upon Reset to a Unique Value for Each and Change Immediately After First Use

PCI Requirement 8.2.6 – Set Passwords/Passphrases for First-Time Use and Upon Reset to a Unique Value for Each and Change Immediately After First Use


Unique Value for First-Time Use and Resets
PCI Requirement…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.3 – Secure All Individual Non-Console Administrative Access and All Access into CDE Using Multi-Factor Authentication

PCI Requirement 8.3 – Secure All Individual Non-Console Administrative Access and All Remote Access into CDE Using Multi-Factor Authentication


What is Multi-Factor Authentication?
PCI Requirement 8.3…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.3.1 – Incorporate Multi-Factor Authentication for All Non-Console Access into CDE for Personnel with Administrative Access

PCI Requirement 8.3.1 – Incorporate Multi-Factor Authentication for All Non-Console Access into CDE for Personnel with Administrative Access

Multi-Factor Authentication and Administrative Access
PCI…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.3.2 – Incorporate Multi-Factor Authentication for all Remote Network Access

PCI Requirement 8.3.2 – Incorporate Multi-Factor Authentication for all Remote Network Access

Remote Network Access and Multi-Factor Authentication
PCI…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.4 – Document and Communicate Authentication Policies and Procedures to All Users

PCI Requirement 8.4 – Document and Communicate Authentication Policies and Procedures to All Users

Authentication Policies and Procedures
Every single PCI DSS…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.5 – Do Not Use Group, Shared, or Generic IDs, Passwords, or Other Authentication Methods

PCI Requirement 8.5 – Do Not Use Group, Shared, or Generic IDs, Passwords, or Other Authentication Methods


Do Not Use Group, Shared, or Generic Authentication Methods
PCI…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only: Service Providers with Remote Access to Customer Premises Must Use Unique Authentication Credential for Each Customer

PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only:

Service Providers with Remote Access to Customer Premises Must…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism

PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism

Do Not Share Authentication Mechanisms
If your organization…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.7 – Restrict All Access to Any Database Containing Cardholder Data

PCI Requirement 8.7 – Restrict All Access to Any Database Containing Cardholder Data


Database Access
PCI Requirement 8.7 requires that you restrict…
December 21, 2017/by Jeff Wilder
PCI Requirement 8.8 – Ensure Policies and Procedures for Identification and Authentication are Documented, in Use, and Known to All Affected Parties

PCI Requirement 8.8 – Ensure Policies and Procedures for Identification and Authentication are Documented, in Use, and Known to All Affected Parties


Identification and Authentication Policies and Procedures
PCI…
December 21, 2017/by Jeff Wilder