PCI Requirement 8.5 – Do Not Use Group, Shared, or Generic IDs, Passwords, or Other Authentication Methods

by Randy Bartels / December 20, 2022

 Do Not Use Group, Shared, or Generic Authentication Methods PCI Requirement 8.5 cautions, “Do not use group, shared, or generic IDs, passwords, or other authentication methods.” It also outlines the following requirements: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. Group, shared, or generic…

PCI Requirement 8.4 – Document and Communicate Authentication Policies and Procedures to All Users

by Randy Bartels / December 20, 2022

Authentication Policies and Procedures Every single PCI DSS requirement needs documented and implemented policies and procedures. PCI Requirement 8.4 specifically requires you to document and communicate authentication policies and procedures to all users, which include: Guidance on selecting strong authentication credentials. Guidance for how users should protect their authentication credentials. Instructions on why not to reuse previously used passwords. Instructions to change passwords if there is any suspicion the password…

PCI Requirement 8.3.2 – Incorporate Multi-Factor Authentication for all Remote Network Access

by Randy Bartels / December 20, 2022

Remote Network Access and Multi-Factor Authentication PCI Requirement 8.3.2 requires, “Incorporate multi-factor authentication for all remote network access originating from outside the entity’s network.” This applies to all personnel, general users, administrators, and even vendors accessing for support or maintenance - anyone coming into your environment using remote network access must use multi-factor authentication. As PCI Requirement 8.2 describes, the three accepted forms of multi-factor authentication that comply with PCI…

PCI Requirement 8.3.1 – Incorporate Multi-Factor Authentication for All Non-Console Access into CDE for Personnel with Administrative Access

by Randy Bartels / December 20, 2022

Multi-Factor Authentication and Administrative Access PCI Requirement 8.3.1 states, “Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.” This requirement, new to PCI DSS v3.2, applies to all personnel with administrative, non-console access to the cardholder data environment, but to application or system accounts performing automated functions. When someone with administrative privileges is attacked, it can be detrimental to your organization. So, whether you’re…

PCI Requirement 8.3 – Secure All Individual Non-Console Administrative Access and All Remote Access into CDE Using Multi-Factor Authentication

by Randy Bartels / December 20, 2022

 What is Multi-Factor Authentication? PCI Requirement 8.3 states, “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.” But what is multi-factor authentication? According to the PCI DSS, multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. This provides additional security and assurance that the person attempting to gain access is who they…