PCI Requirement 8.6 – Authentication Mechanisms Must Not Be Shared Among Multiple Accounts and Physical and/or Logical Controls Must Be in Place to Ensure Only Intended Account Can Use that Mechanism
Do Not Share Authentication Mechanisms
If your organization uses something you have as an authentication mechanism, like a type of physical device such as a token, smart card or certificate, we need to make sure that the authentication device can only be assigned to, and used by, one individual. If authentication mechanisms can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. PCI Requirement 8.6 requires that authentication mechanisms must not be shared among multiple accounts and physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. The PCI DSS states, “Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism.”
During an assessment, an assessor will examine your authentication mechanisms and policies and procedures to ensure that you do not share authentication mechanisms among multiple accounts and appropriate physical and/or logical controls are in place.
If your organization uses some type of physical device for authentication, such as a token, smart card, proximity card reader, we need to make sure that the authentication device can only be used by that single individual and that device be assigned to only one individual. It’s also required that when an employee’s relationship with an organization is terminated, device be disabled or recalled.
There are a couple of areas where organizations struggle with PCI Requirement 8.6. If you assign certificates to your VPN client, for example a Cisco VPN client, and you’re using that as part of your authentication schema to get into your environment, there’s nothing wrong with that. But, understand that those certificates need to be assigned to the individual and may not be assigned to a group.
Once again, from an assessment perspective, we’re going to look at all the methods and means by which you’re authenticating within your environment. Wherever you’re physically using a device for authentication, we’re going to test that to see if it demonstrates that you cannot use the authentication device for more than one individual.