Proper User-Authentication Management
PCI Requirement 8.2 adds an additional layer of security to user IDs by requiring something you know, something you have, or something you are. It states, “In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: something you know (such as a password or passphrase), something you have (such as a token device or smart card), something you are (such as a biometric).”
Understanding proper user-authentication management is easier than you might think. How many times have you entered a PIN after swiping your debit card this week? Your PIN is something you know. Has a website ever texted your phone a one-time password in order to gain access? That one-time password is something you have. Do you use a scan of your fingerprint to unlock your smartphone? Your fingerprint is something you are. The PCI DSS explains, “These authentication methods, when used in addition to unique IDs, help protect users’ IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password (or other authentication used).”
To verify compliance with PCI Requirement 8.2, an assessor needs to examine the documentation that describes your organization’s authentication methods, then observe that the methods described are consistent with your system.
We started off talking in Requirement 8 about the need for everyone to get their own username and that no one shares their usernames. When we get to PCI Requirement 8.2, it basically says that everyone needs to have something to authenticate with. This can be a password, biometrics, a physical device. It doesn’t really matter what it is that your organization uses for authentication, it matters that everyone has something that they use to authenticate with.