Authentication Policies and Procedures
Every single PCI DSS requirement needs documented and implemented policies and procedures. PCI Requirement 8.4 specifically requires you to document and communicate authentication policies and procedures to all users, which include:
- Guidance on selecting strong authentication credentials.
- Guidance for how users should protect their authentication credentials.
- Instructions on why not to reuse previously used passwords.
- Instructions to change passwords if there is any suspicion the password could be compromised.
Educating your personnel on proper authentication methods is vital to the security of the cardholder data you are protecting. It helps all users have the chance to understand and follow important authentication policies. The PCI DSS explains that this guidance could be suggestions on what not to do, like using dates of birth or easy-to-guess passwords, writing down passwords, or saving them somewhere insecure. Or, it could be recommendations on how to become more aware of malicious activity and prevent it.
Why does PCI Requirement 8.4 require you to document and communicate authentication policies and procedures to all users? It’s not enough just to talk about these policies or document them for the sake of an audit. An assessor will examine all of your authentication policies and procedures and training methods, as well as interview personnel to ensure that policies and procedures are implemented. Does staff know what to do if they suspect malicious activity? Do they know how to securely change their password? Can they come up with a hard-to-guess password? Assessors want to know if your personnel have an understanding of your authentication policies and procedures.
If you’ve been involved with the PCI DSS for very long, I’m sure you’re aware that every single one of these requirements has a multitude of policies and procedures that are required. PCI Requirement 8.4 says that you need to educate your staff and provide them guidance and training on methods for good and bad authentication procedures, and what they should and shouldn’t do. You need to provide your end-users with instructions so that if they ever suspect that their passwords have been compromised, they know how to change their password.
From an assessment perspective, we’re going to be reading all of your authentication policies and procedures. We’re going to look at your training program. We’re going to look at how you’ve implemented your policies and procedures. We’re going to go find Betty sitting in the kitchen and ask her to tell us about authentication policies and procedures, tell us what your company has educated you about. We’re not look for Betty to regurgitate exactly what your policies say, but we’re looking for an understanding of these things. I don’t care verbatim what the policy says, what I’m looking for is that your staff has an understanding of your intent and that they know what to do if their password has been compromised.