PCI Requirement 8.4 – Document and Communicate Authentication Policies and Procedures to All Users

by Randy Bartels / December 20, 2022

Authentication Policies and Procedures Every single PCI DSS requirement needs documented and implemented policies and procedures. PCI Requirement 8.4 specifically requires you to document and communicate authentication policies and procedures to all users, which include: Guidance on selecting strong authentication credentials. Guidance for how users should protect their authentication credentials. Instructions on why not to reuse previously used passwords. Instructions to change passwords if there is any suspicion the password…

PCI Requirement 8.3.2 – Incorporate Multi-Factor Authentication for all Remote Network Access

by Randy Bartels / December 20, 2022

Remote Network Access and Multi-Factor Authentication PCI Requirement 8.3.2 requires, “Incorporate multi-factor authentication for all remote network access originating from outside the entity’s network.” This applies to all personnel, general users, administrators, and even vendors accessing for support or maintenance - anyone coming into your environment using remote network access must use multi-factor authentication. As PCI Requirement 8.2 describes, the three accepted forms of multi-factor authentication that comply with PCI…

PCI Requirement 8.3.1 – Incorporate Multi-Factor Authentication for All Non-Console Access into CDE for Personnel with Administrative Access

by Randy Bartels / December 20, 2022

Multi-Factor Authentication and Administrative Access PCI Requirement 8.3.1 states, “Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.” This requirement, new to PCI DSS v3.2, applies to all personnel with administrative, non-console access to the cardholder data environment, but to application or system accounts performing automated functions. When someone with administrative privileges is attacked, it can be detrimental to your organization. So, whether you’re…

PCI Requirement 8.3 – Secure All Individual Non-Console Administrative Access and All Remote Access into CDE Using Multi-Factor Authentication

by Randy Bartels / December 20, 2022

 What is Multi-Factor Authentication? PCI Requirement 8.3 states, “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.” But what is multi-factor authentication? According to the PCI DSS, multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. This provides additional security and assurance that the person attempting to gain access is who they…

PCI Requirement 8.2.6 – Set Passwords/Passphrases for First-Time Use and Upon Reset to a Unique Value for Each and Change Immediately After First Use

by Randy Bartels / December 20, 2022

 Unique Value for First-Time Use and Resets PCI Requirement 8.2.6 states, “Set passwords/passphrases for first-time use and upon reset to a unique value for each and change immediately after first use.” There are two elements to PCI Requirement 8.2.6 compliance. First, whenever a new account is being set up or reset, it needs to be given a unique value. Why? The PCI DSS explains, “If the same password is…