Blog

PCI Requirement 8.7 – Restrict All Access to Any Database Containing Cardholder Data

by Randy Bartels / December 20, 2022

Database Access PCI Requirement 8.7 requires that you restrict all access to any database containing cardholder data and access is restricted as follows: All user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or…

PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism

by Randy Bartels / May 31, 2023

Do Not Share Authentication Mechanisms If your organization uses something you have as an authentication mechanism, like a type of physical device such as a token, smart card or certificate, we need to make sure that the authentication device can only be assigned to, and used by, one individual. If authentication mechanisms can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism.…

PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only:

by Randy Bartels / December 20, 2022

Service Providers with Remote Access to Customer Premises Must Use Unique Authentication Credential for Each Customer Multiple Customers, Multiple Authentication Credentials The PCI DSS has several requirements that are specific to service providers, including PCI Requirement 8.5.1, which states, “Service providers with remote access to customer premises must use a unique authentication credential for each customer.” PCI Requirement 8.5.1 prevents the compromise of multiple customers through the use of a…

PCI Requirement 8.5 – Do Not Use Group, Shared, or Generic IDs, Passwords, or Other Authentication Methods

by Randy Bartels / December 20, 2022

Do Not Use Group, Shared, or Generic Authentication Methods PCI Requirement 8.5 cautions, “Do not use group, shared, or generic IDs, passwords, or other authentication methods.” It also outlines the following requirements: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. Group, shared, or generic…

PCI Requirement 8.4 – Document and Communicate Authentication Policies and Procedures to All Users

by Randy Bartels / December 20, 2022

Authentication Policies and Procedures Every single PCI DSS requirement needs documented and implemented policies and procedures. PCI Requirement 8.4 specifically requires you to document and communicate authentication policies and procedures to all users, which include: Guidance on selecting strong authentication credentials. Guidance for how users should protect their authentication credentials. Instructions on why not to reuse previously used passwords. Instructions to change passwords if there is any suspicion the password…

PCI Requirement 8.7 – Restrict All Access to Any Database Containing Cardholder Data

PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism

PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only:

PCI Requirement 8.5 – Do Not Use Group, Shared, or Generic IDs, Passwords, or Other Authentication Methods

PCI Requirement 8.4 – Document and Communicate Authentication Policies and Procedures to All Users

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.