PCI Requirement 8.1 – Define and Implement Policies and Procedures to Ensure Proper User Management
Never Share User IDs and Passwords
PCI Requirement 8.1 focuses on proper user identification management. If there’s no management of users within your system, you’ve lost accountability for the actions that take place within your systems. It’s hard to determine who has taken which actions if you cannot identify users. The PCI DSS states that having uniquely identified users, instead of using one user ID for several employees, allows organizations to maintain individual responsibility for actions and keep an effective audit trail per employee. This will also help speed up resolution and containment processes when misuse or malicious intent occurs.
We can’t stress enough how important it is to define and implement policies and procedures, but it’s especially important here. Specifically, PCI Requirement 8.1 requires organizations to define and implement policies and procedures to ensure proper user identification management. These policies and procedures should outline the measures defined in the sub-requirements of PCI Requirement 8.1:
- 8.1.1 – Assign all users a unique ID before allowing them to access system components or cardholder data.
- 8.1.2 – Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
- 8.1.3 – Immediately revoke access for any terminated users.
- 8.1.4 – Remove/disable inactive user accounts within 90 days.
- 8.1.5 – Manage IDs used by third parties to access, support, or maintain system components via remote access.
- 8.1.6 – Limit repeated access attempts by locking out the user ID after not more than six attempts.
- 8.1.7 – Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
- 8.1.8 – If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
To verify compliance with PCI Requirement 8.1, an assessor requires your organization to define and implement policies and procedures to ensure proper user identification management. An assessor will review your organization’s policies and procedures to verify that they outline processes to meet PCI Requirements 8.1.1 through 8.1.8. An assessor will also review all of the authentication that you have within your environment to verify that everyone has their own unique username and password and see if there are generic user accounts being used.
In PCI Requirement 8.1, we call out the need for everybody within your environment to have their own unique user ID. You should never share a username. The purpose and the intent behind that is because when you use somebody else’s username and password, we’ve lost accountability for the actions that have taken place. From a logging and forensics perspective, it gets pretty hard to determine who’s done what when we have multiple people using the same account. Specific to this requirement, we look to see that everybody gets their own username and password.
From an assessment perspective, what we’ll typically do is look at all of the authentication that you have within your environment and we’ll look to see that everybody has their own username and password. When looking at your authentication stores, we’re looking to see if there are generic user accounts. There are some situations where it’s hard to get away from this. For example, if you’re in a break/fix environment, you might have to use an administrator account. There are situations where you can assign privileges to individuals within your organization that give them those rights, but where this really gets sticky is when we come across the use of root, and we’ll talk about that later in subsequent requirements.