PCI Readiness Series: PCI Requirement 8
This session in our PCI Readiness Series dives into PCI Requirement 8, specifically about identifying and authenticating access to system components. In this webinar, we will cover strong, secure passwords in transmission and storage, disabling accounts for terminated employees and unused accounts, changing default passwords, and disabling generic accounts with shared usernames and passwords.
PCI Requirement 8 establishes non-refutability and authentication security, covers all systems and applications, and has about 21 sub-requirements that will be assessed. There’s an incredible amount of work when establishing your authentication program. PCI Requirement 8 applies to all users and to any place where a password is required.
This webinar also discusses topics such as:
- Program Management: Policies and procedures regarding authentication must be documented, in use, and effectively communicated to all relevant individuals.
- Assessment – Documents: In addition to policies and procedures, assessors will look at documents such as: system password configuration standards, a list of terminated employees within the last 6 months, a list of new hires, a list of administrators, and a list of all user accounts from all systems.
- Assessment – Asset Observation: Assessors will conduct a review of all password settings and a review of how passwords are encrypted during transmission.
- Best Practices: We believe some basic best practices for complying with Requirement 8 are:
- No sharing of usernames and passwords (no generic accounts)
- Passwords must be strong
- Passwords must be secure in transmission and storage
- No use of default passwords
- Must disable accounts for employees who are no longer there
- Must disable accounts that are not used in 90 days
This webinar also gives an overview of each of these sub-requirements:
Requirement 8.1 – Define and implement policies and procedures
Requirement 8.2 – Everyone gets their username and something to authenticate with (like a password, token, or biometric)
Requirement 8.3 – Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including administrators and vendors)
Requirement 8.4 – Document and communicate authentication policies and procedures to all users
Requirement 8.5 – Do not use group, shared, or generic IDs, passwords, or other authentication methods
Requirement 8.6 – Where other authentication mechanisms are used (security tokens, smart cards, certificates, etc), use of these mechanisms must be assigned
Requirement 8.7 – All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted
Requirement 8.8 – Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties