Payment Card Industry (PCI) compliance is required for security and stability of all card-related transactions, regardless of industry. The Data Security Standard (DSS) as stipulated by the PCI is broken down into 12 primary requirements; this article will detail PCI DSS Requirement 8, which focuses on identifying and authenticating all access to system components. Below, we’ll examine all controls and measures for compliance within Requirement 8’s sub-requirements.
PCI DSS Requirement 8 Identification and Authentication Measures
Primarily concerned with user accountability, access, and authentication, PCI DSS Requirement 8 comprises several conditions essential for cardholder data (CHD) safety and PCI compliance.
This article will hone in on the details of each sub-requirement within Requirement 8. And the specific sub-requirements or Testing Procedures for each will dictate the measures you need.
PCI DSS Requirement 8.1: Establish User Identification Policies
The primary goal of PCI DSS Requirement 8.1 is defining procedures and policies required for all other sub-requirements (8.1 through 8.8). The specific measures for 8.1 breakdown as follows:
- PCI DSS 8.1.1 – Assign unique IDs to all users before granting them access to CHD.
- PCI DSS 8.1.2 – Control which individuals can add, delete, or edit user accounts or identifier objects, along with any parameters related to them, such as credentials.
- PCI DSS 8.1.3 – Revoke access permissions immediately upon user termination.
- PCI DSS 8.1.4 – Terminate or disable user accounts after 90 days of inactivity.
- PCI DSS 8.1.5 – Manage all third-party IDs used to access systems, restricting all access permissions to the extent and duration needed and monitoring while in use.
- PCI DSS 8.1.6 – Lock users out of accounts if they fail to log in six times (at most).
- PCI DSS 8.1.7 – Set lockout durations for at least 30 minutes or until an authorized administrator re-enables the account and its access privileges.
- PCI DSS 8.1.8 – Re-authenticate users if a session is idle for 15 minutes (or more).
Requirement 8.1 ensures all non-customer and admin users of payments systems have a unique ID, creating a chain of accountability that allows for quicker resolutions to problems.
PCI DSS Requirement 8.2: Establish User Authentication Policies
The major focus of PCI DSS Requirement 8.2 is defining the authentication processes, which put identification into action. In particular, 8.2 introduces the types of authenticating factors that can be used to safeguard accounts, such as something a user knows (a password), has (a device), or is (a biometric scan). The specific measures for 8.2 break down as follows:
- PCI DSS 8.2.1 – Utilize cryptography for transmission and storage of user credentials.
- PCI DSS 8.2.2 – Verify a user’s identity prior to modifying any authentication credential.
- PCI DSS 8.2.3 – Implement strength and complexity requirements for user passwords, including a minimum of seven characters and at least one number and letter character.
- PCI DSS 8.2.4 – Require user passwords to be changed at least once every 90 days.
- PCI DSS 8.2.5 – Prohibit reuse of passwords and passphrases, ensuring no individual password or passphrase matches any of the previous four selected by a user.
- PCI DSS 8.2.6 – Issue unique passwords for first-time use and require users to change their given passwords immediately after their first use.
Critically, 8.2 requires one proper authenticating factor to be used for access—requiring more than one is referred to as multi-factor authentication (MFA), which is the main focus of 8.3.
PCI DSS Requirement 8.3: Integrate Multi-Factor Authentication
PCI DSS Requirement 8.3 compounds the measures of 8.2 by requiring at least two of the proper authentication measures for all non-console administrative access and remote access to systems in the CHD environment (CDE). There are two specific sub-requirement measures:
- PCI DSS 8.3.1 – Incorporate MFA for all non-console access to CHD, including for personnel who have administrative access to the CHD or systems connected to it.
- PCI DSS 8.3.2 – Incorporate MFA for all user and admin access that is remote or otherwise originates from outside the organization’s networks.
Using two of the same kind of factor (i.e. two passwords) is not considered PCI-compliant MFA.
PCI DSS Requirement 8.4: Train Users on Account Authentication
The first part of PCI DSS Requirement 8 that does not have any sub-requirements of its own is Requirement 8.4. Instead, its measures are broad and less explicitly defined, including formal documentation and communication of policies and procedures related to user identification and authentication. This includes guidance on how to select sufficiently strong credentials, how to protect and maintain those credentials, and then how to safely make changes to their accounts.
The Testing Procedures for 8.4 indicate that measures must be clearly communicated in policies and procedures, which will be examined for explicit guidance. A representative sample of users may also be interviewed to determine whether they are familiar with policies and procedures.
Note: This is distinct from the formal documentation and dissemination required per 8.8 below.
PCI DSS Requirement 8.5: Minimize Generic or Shared Credentials
PCI DSS Requirement 8.5 is primarily focused on ensuring user account safety by eliminating default settings inadequate for CHD protection. In particular, its measures concern immediately removing and replacing all generic user IDs and eliminating shared IDs for CDE components.
There is also one sub-requirement measure that is applicable to service providers exclusively:
- PCI DSS 8.5.1 – Utilize unique authentication credentials for each individual customer in any situation involving remote access to customers’ premises (i.e. POS system support).
As a best practice, all companies should search for and remove any generic or shared user IDs, whether or not they grant access to or are otherwise connected to CHD or CDE components.
PCI DSS Requirement 8.6: Safeguard Special Devices Individually
PCI DSS Requirement 8.6 is primarily concerned with special safeguards for devices that use different authentication methods not covered by 8.2. If physical or logical tokens, cards, or certificates are necessary, their use needs to be carefully documented and restricted. There are no sub-requirements, but measures for 8.8 include authenticating these devices’ methods by account (and not sharing accounts, per 8.5) and verifying identity via physical or logical controls.
The Testing Procedures for Requirement 8.6 specify that applicable policies and procedures, along with physical and logical controls, will be examined for evidence pertaining to these measures. Also, personnel may be interviewed to confirm their knowledge of the measures.
PCI DSS Requirement 8.7: Restrict Access to All CHD Databases
The penultimate subsection within PCI DSS Requirement 8 is 8.7, which details various access restrictions to databases containing or connected to CHD. As with 8.6, there are no explicit sub- requirements named, but PCI-compliant measures must assure that all user access to CHD databases happens via programmatic methods. All queries and direct access must come from administrators. And, all application IDs for app access must be restricted to in-app uses.
Testing Procedures for 8.7 are directly related to these principles, examining databases’ access control settings and access logs to determine whether the measures are being implemented.
PCI DSS Requirement 8.8: Document and Distribute Policies
Finally, PCI DSS Requirement 8.8 is concerned less with actual measures to implement than with formal documentation of measures pertaining to Requirements 8.1 through 8.7. It has no sub-requirements. Its Testing Procedures involve examining all documentation for policies and procedures to ensure that all responsibilities for identification and access are documented, in use, and known to all parties to whom they apply. This corresponds to the requirements for policy establishment in 8.1 and 8.2, along with all specific controls throughout Requirement 8.
Note: All PCI DSS Requirements have a similar sub-requirement for formal documentation, except Requirement 12—instead, Requirement 12 applies similar measures to all others.
The Best Route to PCI-Compliant Identification and Authentication
As detailed above, there is a wide variety of measures required to fulfill PCI DSS Requirement 8. These range from basic policies for identification and authentication to specific practices for user account maintenance and monitoring.
Along with the 11 other PCI DSS Requirements, these measures can be challenging for many companies to implement—especially alone. RSI Security can help your company rethink its PCI compliance process. Our PCI advisory services facilitate all elements of implementation and assessment.
Contact RSI Security today to get started!