Overview#
Identify and Authenticate access to system components is a part of the
Payment Card Industry Security Standards Council (
PCI DSS) standards and is probably most appropriate to Ldapwiki visitors.
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored Cardholder Data.
Requirements do not apply to accounts used by consumers (e.g., cardholders).
8.1 #
Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components. Assign all users a
unique user name before allowing them to access system components or
Cardholder Data.
8.2 #
Employ at least one of these to authenticate all users:
Use
strong Authentication Methods and render all
passwords/
passphrases unreadable during
transmission and
storage using strong
cryptography.
8.3 #
Secure all individual non-console
administrative access and all remote access to the
Cardholder Data Environment using
Multi-Factor Authentication. This requires at least two of the three
Authentication Methods described in 8.2 are used for
authentication. Using one factor twice (e.g. using two separate
passwords) is
NOT considered multi-factor authentication. This requirement applies to
administrative personnel with non-console
access to the
Cardholder Data Environment from within the entity’s
network, and all remote network access (including for users,
administrative, and third-parties) originating from outside the entity’s network. (Note: The requirement for
Multi-Factor Authentication for non-console
administrative access from within the entity’s network is a
Best Practices until 31 January
2018, after which it becomes a requirement.)
8.4 #
Develop, implement, and communicate
authentication policies and procedures to all users.
8.5 #
Do
NOT use group, shared, or generic IDs, or other
Authentication Methods.
Service Providers with access to
customer environments must use a
unique authentication credential (such as a
password/
passphrase) for each
customer environment.
8.6 #
Use of other
authentication mechanisms such as physical
Security Token,
Smart Cards, and
certificates MUST be assigned to an individual
account.
8.7 #
All access to any database containing cardholder data must be restricted: all user access must be through programmatic methods; only database administrators can have direct or query access; and application IDs for database applications can only be used by the applications (and not by users or non-application processes).
8.8 #
Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
There might be more information for this subject on one of the following: