PCI Requirement 8.2.2 – Verify User Identity Before Modifying Any Authentication Credential

by Randy Bartels / December 21st, 2017

Preventing Social Engineering

PCI Requirement 8.2.2 states, “Verify user identity before modifying any authentication credential.” How could this play out at your organization? Let’s imagine that you need a password reset, so you call a help desk and tell them the situation. If they unlocked your account and helped you reset the password, no questions asked, then what would stop an attacker from calling the help desk and asking the same thing? Your organization must have a process in place to verify user identity before modifying any authentication credential. The PCI DSS suggests having a shared password or secret question that only a proper user would know how to answer, which would verify user identity.

The intent of PCI Requirement 8.2.2 is to prevent social engineering. Social engineering is a type of attack that relies on human interaction and behavior to coax individuals into breaking normal security procedures. If an attacker poses as a user and tricks someone from your organization into giving them access to your environment, it’s left incredibly vulnerable. Implementing a process to verify user identity before modifying any authentication credential helps protect your organization from attacks like social engineering.

How many times have you heard about someone calling into the help desk and saying, “Hi, I’m Johnny Salesman. I fat-fingered my account. Can you please reset my password for me?” The help-desk people are trained to be helpful and supportive of their staff, and the first thing they might do is unlock that account, right? In most cases that’s fine, until the person that’s calling in and asking you to reset the account is Hacker Joe. In order to prevent that, we need to have a process in place where we authenticate the users in some capacity before we reset that password. That process of authentication is really up to you as an organization. It could be a shared password, it could be the management request – there are multiple ways you could go about authenticating individuals before resetting the password. The intent of this is to stop the social engineering attack and someone gaining access to an account that they should not have access to.