PCI Requirement 8.8 – Ensure Policies and Procedures for Identification and Authentication are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / December 21st, 2017

Identification and Authentication Policies and Procedures

PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your system. PCI Requirement 8 states, “Identify and authenticate access to system components.” In these videos, we’ve discussed authentication mechanisms, user IDs, secure passwords, inactive user IDs, cryptography, administrative access, multi-factor authentication, and more. But as we’ve learned with every PCI DSS requirement, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 8.8.

PCI Requirement 8.8 states, “Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.” PCI Requirement 8.8 isn’t saying that your organization only needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be implementing what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, becoming familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are. If PCI Requirement 8.8 is not met, your systems could be left vulnerable.

As with every other requirement we’ve talked about thus far, PCI Requirement 8 has the capstone. You’re going to be maintaining your policies, procedures, and standards. Anyone subject to them needs to be fully educated about the merits of those policies and procedures. Your assessor is going to be looking for those policies and procedures, reading them, and then talking to the staff about how you’ve implemented your policies, procedures in your environment. Understand that policies and procedures need to be in use, not just documented.