What is PCI-DSS Requirement 8?
PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your systems.
PCI Requirement 8 states, “Identify and authenticate access to system components.” Being able to identify each user in your system enables you to hold each user accountable for their actions. Assigning a unique identification to every user ensures that you know who’s taking which specific actions in your systems. Authentication ensures that whoever is accessing your system is who they say they are. If there are no security measures taken at the point of entry, during transmission, and while in storage, passwords and other authentication methods will likely become susceptible to an attacker. The actions of identify and authenticate function together to protect your system components.
PCI Requirement 8 details the following sub-requirements:
- 8.1- Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components.
- 8.1.1 – Assign all users a unique ID before allowing them to access system components or cardholder data.
- 8.1.2 – Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
- 8.1.3 – Immediately revoke access for any terminated users.
- 8.1.4 – Remove/disable inactive user accounts within 90 days.
- 8.1.5 – Manage IDs used by third parties to access, support, or maintain system components via remote access.
- 8.1.6 – Limit repeated access attempts by locking out the user ID after not more than six attempts.
- 8.1.7 – Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
- 8.1.8 – If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
- 8.2 – In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: something you know, such as a password or passphrase, something you have, such as a token device or smart card, or something you are, such as a biometric.
- 8.2.1 – Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.
- 8.2.2 – Verify user identity before modifying any authentication credential.
- 8.2.3 – Passwords must require a minimum length of at least seven characters and contain both numeric and alphabetic characters.
- 8.2.4 – Change user passwords at least once every 90 days.
- 8.2.5 – Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
- 8.2.6 – Set passwords for first-time use and upon reset to a unique value for each user, and change immediately after the first use.
- 8.3 – Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication.
- 8.3.1 – Incorporate multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access.
- 8.3.2 – Incorporate multi-factor authentication for all remote network access originating from outside the entity’s network.
- 8.4 – Document and communicate authentication policies and procedures to all users including: guidance on selecting strong authentication credentials, guidance for how users should protect their authentication credentials, instructions not to reuse previously used passwords, and instructions to change passwords if there is any suspicion the password could be compromised.
- 8.5 – Do not use group, shared, or generic IDs, passwords, or other authentication methods.
- 8.5.1 – Service providers with remote access to customer premises must use a unique authentication credential for each customer.
- 8.6 – Where other authentication mechanisms are used, authentication mechanisms must be assigned to an individual account and not shared among multiple accounts or physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
- 8.7 – All access to any database containing cardholder data is through programmatic methods, only database administrators have the ability to directly access or query databases, and application IDs for database applications can only be used by the applications.
- 8.8 – Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.
It’s important to note that the PCI DSS states PCI Requirement 8 applies to all accounts, including point-of-sale accounts, with administrative capabilities, as well as all accounts used to view cardholder data, access cardholder data, or access systems with cardholder data. This includes accounts used by vendors and other third parties, but does not apply to accounts used by consumers. However, the PCI DSS states that PCI Requirements 8.1.1, 8.2, 8.5, 8.2.3 through 8.2.5, and 8.1.6 through 8.1.8 do not to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction, such as a cashier account.
Passwords, user IDs, two-factor authentication, policies and procedures, and cryptography are all elements that factor into PCI Requirement 8, but the most important actions to remember are identification and authentication. Remembering to identify and authenticate in every area of your access control process will mature and secure your system components.
PCI Requirement 8 is about authentication. When we looked at PCI Requirement 7, we were focused on authorizing individuals to have access into specific areas of your environment or have access to assets. We get to PCI Requirement 8, and it’s focused on making sure that whoever it is that’s authenticating access to those assets are who they say they are, which we’ll talk about in the subsequent videos.
There are a couple of things that you need to be aware of as part of the password management and password requirements. I want you to take a moment and read the preamble to PCI Requirement 8. There are certain accounts and certain people that these password requirements may not apply to, such as individuals that would have access to one bit of cardholder data at a time, perhaps somebody at a register. So, all of these password requirements would not necessarily apply to those individuals. You might have call center agents that only interact with one piece of cardholder data at a time; a portion of these requirements may not apply to them. If you have any questions about this, I recommend you spend some time with your assessor and read that preamble to PCI Requirement 8 to understand how this may or may not apply to you in your specific situation.