Get started Bring yourself up to speed with our introductory content.

PCI DSS Requirement 8: Assign unique user IDs to those with access

To pass a PCI compliance audit, organizations need to be capable of verifying who is attempting access to an asset. They also must control what employees are permitted to see or modify, and do so based on their organizational role. In this PCI survival guide, Craig Norris explains where most companies go wrong.

A critical concern of PCI compliance is traceability and accountability of who did what and when. Even though organizations...

realize that the main techniques used to address this requirement are user and password management, both of these techniques are difficult to implement. To do so, incorporate tools that automate these tasks, or assign technical staff to handle them. Large networks can have heterogeneous environments with many points of entry, including firewalls and VPN access. The various options make it difficult to track user accounts and behavior on information systems without the proper infrastructure. These same organizations may not be monitoring domain password policies correctly for all changes.

How to pass PCI Requirement 8

Organizations must be able to identify and log all user and administrative access to information systems and applications containing credit card information. Organizations must create a unique ID for every individual that will have computer access. The company must also possess a documented policy -- signed by all employees -- pointing out that all IDs and credentials are to be used only by the people to whom they are specified. Organizations need to be capable of verifying who is attempting access to an asset. They also must control what employees are permitted to see or modify, and do so based on their organization role.

Management must make sure that it enforces a policy for aging passwords. As an example, if a company has a policy that states all passwords will be changed every 45 days, they must be able to demonstrate that this actually occurs. Additionally, organizations have to be able to show that there is a repeatable process in place for providing passwords for new employee hires, as well as removing passwords when an employee no longer works for the organization.

PCI DSS also requires two-factor authentication to identify remote users that need to access resources, whether they are employees, administrators or third parties. While account name and password is typically the easiest and least expensive method of network logon authentication, organizations have now started to realize the weaknesses of this method. Passwords can be guessed or cracked using dictionary attacks, or users can be tricked into disclosing their passwords to other people. One way to stop social engineers and reduce additional risks associated with passwords is to apply two-factor authentication. If users are obligated to type in a password and provide additional information, such as a PIN from a card or token, then a hacker would not be able to get into the network with a password alone. Two-factor authentication can be established by using the combination of something a user knows (a password, for example), something a user possesses (ATM card), or something the user is (fingerprint).

Finally, it is crucial that organizations use an enterprise-wide authentication framework that will control how users can securely connect to the network. The framework, which can be built or bought, should not only be used to authenticate users to resources, but can also help limit access to resources based on business requirements. Doing so requires the development of a set of repeatable processes, along with technologies and policies that will protect user identities and data. Limiting users to a "need to know" basis helps to eliminate risk.

PCI compliance and IAM strategies

  • Identity and access management is critical to PCI compliance, but IT security professionals don't always work well with audit/compliance managers.


  Requirement 3: Protecting stored data
  Requirement 11: Regularly test systems and processes
  Requirement 8: Assign a unique ID to users
  Requirement 10: Monitor access to network resources and data
  Requirement 1: Install and maintain a firewall configuration


Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via [email protected].
This was last published in September 2007

Dig Deeper on PCI Data Security Standard