PCI compliance requirement 8: Unique IDs

PCI compliance requirement 8: Unique IDs

PCI compliance requirement 8: Unique IDs

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 8: "Assign a unique ID to each person with computer access." To meet PCI compliance Requirement 8, you must:

  • Give everyone with acess to cardholder data a unique ID
  • Authenticate use of that ID using a strong password or two factors

Ed and Diana also review common questions that they hear when doing their QSA work, like "What about shared IDs?" or "Does a PIN and a password count as two-factor authentication?"

Watch the rest of the PCI compliance requirement videos.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

PCI compliance requirement 8: Unique IDs

Ed Moyle:   Requirement 8: Unique IDs.  Basically, in a nutshell, you give

           everybody a unique ID and an identification string or value that

           they have, that is unique to them. No shared IDs, no group

           accounts, no 'the whole marketing department has one login that

           they share or sticky tape to the monitor,' none of that stuff;

           it has to be unique. One thing that we get a lot of questions

           about is, 'What does it mean to be two-factor?' For

           administrative, non-console access you need to have two-factor

           authentication. We get a lot of questions about what does that

           mean, and 'is entering two passwords, or one password twice, or

           password and a pin, does that count a two-factor? Unfortunately,

           no. It is what you have, what you are, what you know. Those are

           the three factors for authentication. A strict reading of this

           would say that that is not two-factor. You could build a case

           and write some documentation about why you think that two

           passwords, or a password and a pin, or whatever is, in fact, two-

           factor, but your challenge would be to get your QSA to accept

           that, and I personally do not. I want, when I am in an

           assessment context, if it is two passwords, that is not two



Diana Kelley:      In other words, you have no way to know what you are.


Ed Moyle:   Right. That is what a factor is. If it was two authentication

           vehicles, then it would say that.


Diana Kelley:      One thing that may be a little confusing is that you may have a

           token-based, one-time password, a card or a bingo card that

           gives you a second number that you add in, so you may feel that

           you are doing a password and a PIN with something like that, but

           that gives you a 'what you have,' because now you have that

           token or that bingo card that gives you that second number or

           password. Those, you may feel like it is similar, but they

           actually . . . Ed was talking about if you have them to use,

           essentially, two things that are in their head, no.


Ed Moyle:   This does not have to be expensive either. For administrative access,

           if you consider something like SSH, guess what, built into SSH

           is a two-factor mechanism for authentication; certificate plus

           password. It is built in.


Diana Kelley:      Some quick hints on the IDs. You want to have your processes,

           document those, put them into place. You do need two-factor

           authentication for remote access. Scope is going to help here a

           lot, because it is OK to share your email address, potentially,

           depending on your policy, with someone that works with you if

           they need to do work for you, and this has nothing to do with

           payment, like, somebody who does your scheduling, for example,

           who needs control of your calendar. These are unique IDs for

           accessing the payment information, so you want to Scope, again,

           make sure you are talking about payment information. Having

           those unique IDs there is very, very critical but do separate

           it from the rest of your network because you may have businesses

           requirements to share IDs for other business purposes.

More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

    VIDEO - Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.
  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
  • Beyond PCI: Out-of-band security tips for credit card data protection

    Tip - Securing credit card data -- both online and at brick-and-mortar stores -- requires security measures beyond those mandated by PCI DSS. Expert Philip Alexander outlines six out-of-band security controls to consider.
  • compensating control

    Definition - Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the requirements for encryption. The alternative is sometimes considered a loophole that creates a security risk.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: