Proper Authentication in Usage Policies
We learned about authentication methods in PCI Requirement 7, and that ties in here. The more people who have access to cardholder data, the more risk there is. A crucial aspect of usage policies is authentication. PCI Requirement 12.3.2 says that usage policies must require authentication for the use of technology. If technology is implemented without proper authentication methods, malicious individuals may use this insecure technology to access critical systems and cardholder data. Authentication methods could include user IDs/passwords, tokens, VPNs, etc.
To test compliance with PCI Requirement 12.3.2, an assessor will need to examine your usage policies to ensure that there is a process for authentication when using technology.
When we look back on PCI Requirement 7, there’s requirements for all of your technologies to be able to support your rule-based access controls. PCI Requirement 12.3.2 defines that all of your technology has the ability to authenticate individual users into that asset before they’re given access. When we’re looking from an assessment perspective, we’re looking at these usage policies and making sure that all systems require authentication.