PCI Requirement 6.5.8 – Improper Access Control

by Randy Bartels / October 13th, 2017

What is Improper Access Control?

PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions. PCI Requirement 6.5.8 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise.

The PCI DSS outlines four types of improper access control:

  1. Insecure direct object references occur when a developer exposes a reference to an internal implementation object as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
  2. Failure to restrict URL access can prohibit an application from protecting sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
  3. Directory traversal could be enumerated or navigated by an attacker, thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation.
  4. Failure to restrict user access to functions permits access to unauthorized functions, which could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources.

In order to comply with PCI Requirement 6.5.8, your organization’s policies and procedures must address proper authentication of users, sanitizing input, not exposing internal object references to users, and user interfaces that do not permit access to unauthorized functions. To verify your compliance with PCI Requirement 6.5.8, an assessor will review these policies and procedures and interview the responsible personnel to ensure that your development process protects your applications from improper access control.

There will be opportunities within your application where either end-users or other applications will request access either into information or to view certain pages within your environment. PCI Requirement 6.5.8 requires that you have some type of validation to make sure that the data that’s being requested, before it’s being provided to that end-user, is validated to make sure they can actually view that.