How to pass PCI Requirement 8
Organizations must be able to identify and log all user and administrative access to information systems and applications containing credit card information. Organizations must create a unique ID for every individual that will have computer access. The company must also possess a documented policy -- signed by all employees -- pointing out that all IDs and credentials are to be used only by the people to whom they are specified. Organizations need to be capable of verifying who is attempting access to an asset. They also must control what employees are permitted to see or modify, and do so based on their organization role.
Management must make sure that it enforces a policy for aging passwords. As an example, if a company
PCI DSS also requires two-factor authentication to identify remote users that need to access resources, whether they are employees, administrators or third parties. While account name and password is typically the easiest and least expensive method of network logon authentication, organizations have now started to realize the weaknesses of this method. Passwords can be guessed or cracked using dictionary attacks, or users can be tricked into disclosing their passwords to other people. One way to stop social engineers and reduce additional risks associated with passwords is to apply two-factor authentication. If users are obligated to type in a password and provide additional information, such as a PIN from a card or token, then a hacker would not be able to get into the network with a password alone. Two-factor authentication can be established by using the combination of something a user knows (a password, for example), something a user possesses (ATM card), or something the user is (fingerprint).
Finally, it is crucial that organizations use an enterprise-wide authentication framework that will control how users can securely connect to the network. The framework, which can be built or bought, should not only be used to authenticate users to resources, but can also help limit access to resources based on business requirements. Doing so requires the development of a set of repeatable processes, along with technologies and policies that will protect user identities and data. Limiting users to a "need to know" basis helps to eliminate risk.
A GUIDE TO PASSING PCI'S FIVE TOUGHEST REQUIREMENTS
Requirement 3: Protecting stored data
Requirement 11: Regularly test systems and processes
Requirement 8: Assign a unique ID to users
Requirement 10: Monitor access to network resources and data
Requirement 1: Install and maintain a firewall configuration
|Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via firstname.lastname@example.org.|
This was first published in September 2007