PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only: Service Providers with Remote Access to Customer Premises Must Use Unique Authentication Credential for Each Customer

PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only:

Service Providers with Remote Access to Customer Premises Must Use Unique Authentication Credential for Each Customer

Multiple Customers, Multiple Authentication Credentials

The PCI DSS has several requirements that are specific to service providers, including PCI Requirement 8.5.1, which states, “Service providers with remote access to customer premises must use a unique authentication credential for each customer.” PCI Requirement 8.5.1 prevents the compromise of multiple customers through the use of a single set of authentication credentials; if a malicious individual compromises an account, they could compromise more if only one authentication credential is used.

The PCI DSS also notes, “This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.”

Video Transcript

The PCI DSS has several requirements that are specific to service providers. If your organization is a service provider, you need to use unique authentication credentials for each of your customers. This means that if you have five clients, you use unique authentication credentials for each one. The purpose and intent behind this is if Hacker Joe is able to compromise Account 1, we want to prevent him from compromising Accounts 2, 3, 4, and 5. To limit this type of vulnerability, it’s required that you use unique authentication credentials for each customer.

From an assessment perspective, this entails examining your policies and procedures, and interviewing staff so that we understand that they understand what’s required about using unique authentication credentials.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *