Identify and Authenticate access to system components is a part of the Payment Card Industry Security Standards Council
) standards and is probably most appropriate to Ldapwiki visitors.
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored Cardholder Data.
Requirements do not apply to accounts used by consumers (e.g., cardholders).
Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components. Assign all users a unique user name
before allowing them to access system components or Cardholder Data
Employ at least one of these to authenticate all users:
Use strong Authentication Methods
and render all passwords
unreadable during transmission
using strong cryptography
Secure all individual non-console administrative
access and all remote access to the Cardholder Data Environment
using Multi-Factor Authentication
. This requires at least two of the three Authentication Methods
described in 8.2 are used for authentication
. Using one factor twice (e.g. using two separate passwords
) is NOT
considered multi-factor authentication. This requirement applies to administrative
personnel with non-console access
to the Cardholder Data Environment
from within the entity’s network
, and all remote network access (including for users, administrative
, and third-parties) originating from outside the entity’s network. (Note: The requirement for Multi-Factor Authentication
for non-console administrative
access from within the entity’s network is a Best Practices
until 31 January 2018
, after which it becomes a requirement.)
Develop, implement, and communicate authentication policies
and procedures to all users.
use group, shared, or generic IDs, or other Authentication Methods
. Service Providers
with access to customer
environments must use a unique authentication credential
(such as a password
) for each customer
Use of other authentication mechanisms
such as physical Security Token
, Smart Cards
, and certificates MUST
be assigned to an individual account
All access to any database containing cardholder data must be restricted: all user access must be through programmatic methods; only database administrators can have direct or query access; and application IDs for database applications can only be used by the applications (and not by users or non-application processes).
Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
There might be more information for this subject on one of the following: