Understanding Your SOC 1 Report: What is Scope?

by Joseph Kirkpatrick / December 20, 2022

So What Is Scope, Anyway? No matter what kind of data you’re protecting – financial information, cardholder data, ePHI – you need to understand where your assets reside and what controls are protecting them. This is why the scoping process is so important. If you don’t know where your data is, how do you plan to protect it? What is scope? How do you determine an accurate definition of scope?…

PCI Requirement 8.8 – Ensure Policies and Procedures for Identification and Authentication are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / February 7, 2023

 Identification and Authentication Policies and Procedures PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your system. PCI Requirement 8 states, “Identify and authenticate access to system components.” In these videos, we’ve discussed authentication mechanisms, user IDs, secure passwords, inactive user IDs, cryptography, administrative access, multi-factor authentication, and more. But as we’ve learned with every PCI DSS requirement, it’s not enough just…

PCI Requirement 8.7 – Restrict All Access to Any Database Containing Cardholder Data

by Randy Bartels / December 20, 2022

 Database Access PCI Requirement 8.7 requires that you restrict all access to any database containing cardholder data and access is restricted as follows: All user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or…

PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism

by Randy Bartels / May 31, 2023

Do Not Share Authentication Mechanisms If your organization uses something you have as an authentication mechanism, like a type of physical device such as a token, smart card or certificate, we need to make sure that the authentication device can only be assigned to, and used by, one individual. If authentication mechanisms can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism.…

PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only:

by Randy Bartels / December 20, 2022

Service Providers with Remote Access to Customer Premises Must Use Unique Authentication Credential for Each Customer Multiple Customers, Multiple Authentication Credentials The PCI DSS has several requirements that are specific to service providers, including PCI Requirement 8.5.1, which states, “Service providers with remote access to customer premises must use a unique authentication credential for each customer.” PCI Requirement 8.5.1 prevents the compromise of multiple customers through the use of a…