Learning Guide

PCI DSS Requirement 8: Assign unique user IDs to those with access

A critical concern of PCI compliance is traceability and accountability of who did what and when. Even though organizations realize that the main techniques used to address this requirement are user and password management, both of these techniques are difficult to implement. To do so, incorporate tools that automate these tasks, or assign technical staff to handle them. Large networks can have heterogeneous environments with many points of entry, including firewalls and VPN access. The various options make it difficult to track user accounts and behavior on information systems without the proper infrastructure. These same organizations may not be monitoring domain password policies correctly for all changes.

How to pass PCI Requirement 8
Organizations must be able to identify and log all user and administrative access to information systems and applications containing credit card information. Organizations must create a unique ID for every individual that will have computer access. The company must also possess a documented policy -- signed by all employees -- pointing out that all IDs and credentials are to be used only by the people to whom they are specified. Organizations need to be capable of verifying who is attempting access to an asset. They also must control what employees are permitted to see or modify, and do so based on their organization role.

Management must make sure that it enforces a policy for aging passwords. As an example, if a company

    Requires Free Membership to View

    Login

has a policy that states all passwords will be changed every 45 days, they must be able to demonstrate that this actually occurs. Additionally, organizations have to be able to show that there is a repeatable process in place for providing passwords for new employee hires, as well as removing passwords when an employee no longer works for the organization.

PCI compliance and IAM strategies

Identity and access management is critical to PCI compliance, but IT security professionals don't always work well with audit/compliance managers.
PCI DSS also requires two-factor authentication to identify remote users that need to access resources, whether they are employees, administrators or third parties. While account name and password is typically the easiest and least expensive method of network logon authentication, organizations have now started to realize the weaknesses of this method. Passwords can be guessed or cracked using dictionary attacks, or users can be tricked into disclosing their passwords to other people. One way to stop social engineers and reduce additional risks associated with passwords is to apply two-factor authentication. If users are obligated to type in a password and provide additional information, such as a PIN from a card or token, then a hacker would not be able to get into the network with a password alone. Two-factor authentication can be established by using the combination of something a user knows (a password, for example), something a user possesses (ATM card), or something the user is (fingerprint).

Finally, it is crucial that organizations use an enterprise-wide authentication framework that will control how users can securely connect to the network. The framework, which can be built or bought, should not only be used to authenticate users to resources, but can also help limit access to resources based on business requirements. Doing so requires the development of a set of repeatable processes, along with technologies and policies that will protect user identities and data. Limiting users to a "need to know" basis helps to eliminate risk.


A GUIDE TO PASSING PCI'S FIVE TOUGHEST REQUIREMENTS

  Requirement 3: Protecting stored data
  Requirement 11: Regularly test systems and processes
  Requirement 8: Assign a unique ID to users
  Requirement 10: Monitor access to network resources and data
  Requirement 1: Install and maintain a firewall configuration
  Conclusion

ABOUT THE AUTHOR:
Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via canvip@yahoo.com.

This was first published in September 2007

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top