PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism

by Randy Bartels / May 31, 2023

Do Not Share Authentication Mechanisms If your organization uses something you have as an authentication mechanism, like a type of physical device such as a token, smart card or certificate, we need to make sure that the authentication device can only be assigned to, and used by, one individual. If authentication mechanisms can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism.…

PCI Requirement 8: Identify and Authenticate Access to System Components

by Randy Bartels / May 31, 2023

What is PCI-DSS Requirement 8? PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your systems. When the PCI DSS describes system components in its requirements, it’s referring to internal and external networks, servers, and applications that are connected to cardholder data. This could be anything from firewalls to switches to databases. PCI Requirement 8 states, “Identify and authenticate access to system components.”…

Vendor Compliance Management: Carve-Out vs Inclusive Method

by Joseph Kirkpatrick / July 12, 2023

Vendor Compliance Management As you’re preparing your service organization for a SOC 1 audit, you want to identify who your third parties or vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Any control that governs the vendors you utilize will be reviewed in a SOC 1 engagement. Your vendors might include a data center, an application service provider, a managed IT provider, or…

HITRUST Update: What’s New in HITRUST CSF v9

by Sarah Harvey / December 19, 2022

HITRUST released the HITRUST CSF v9 as more and more organizations look to the CSF as a way to ensure security and compliance with relevant laws. This new release displays HITRUST’s continuing “evolution of the HITRUST CSF in providing organizations with a comprehensive, common approach to managing information privacy and security risks, including cyber.” In an effort to ease the burden of overwhelming compliance demands with all of the requirements…

KRACK Security Flaw: What We Need to Know

by Sarah Harvey / December 19, 2022

Last month, researchers discovered a new weakness found in the WPA2 protocol (Wi-Fi Protected Access 2), the security method which protects all modern Wi-Fi networks, known as the KRACK security flaw. Although there is no evidence at this time that the KRACK vulnerability was maliciously exploited, this still raises many concerns for both personal and enterprise wireless devices. What is the KRACK Security Flaw? The KRACK security flaw, which stands…