Overview#

Identify and Authenticate access to system components is a part of the Payment Card Industry Security Standards Council (PCI DSS) standards and is probably most appropriate to LDAPWiki visitors.

Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored Cardholder Data.
Requirements do not apply to accounts used by consumers (e.g., cardholders).

8.1 #

Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components. Assign all users a unique user name before allowing them to access system components or Cardholder Data.

8.2 #

Employ at least one of these to authenticate all users:

• Something You Know, such as a password or passphrase;
• Something You Have, such as a token device or smart card;
• something you are, such as a biometric.

Use strong Authentication Methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography.

8.3 #

Secure all individual non-console administrative access and all remote access to the Cardholder Data Environment using Multi-Factor Authentication. This requires at least two of the three Authentication Methods described in 8.2 are used for authentication. Using one factor twice (e.g. using two separate passwords) is NOT considered multi-factor authentication. This requirement applies to administrative personnel with non-console access to the Cardholder Data Environment from within the entity’s network, and all remote network access (including for users, administrative, and third-parties) originating from outside the entity’s network. (Note: The requirement for Multi-Factor Authentication for non-console administrative access from within the entity’s network is a Best Practices until 31 January 2018, after which it becomes a requirement.)

8.4 #

Develop, implement, and communicate authentication policies and procedures to all users.

8.5 #

Do NOT use group, shared, or generic IDs, or other Authentication Methods. Service Providers with access to customer environments must use a unique authentication credential (such as a password/passphrase) for each customer environment.

8.6 #

Use of other authentication mechanisms such as physical Security Token, Smart Cards, and certificates MUST be assigned to an individual account.

8.7 #

All access to any database containing cardholder data must be restricted: all user access must be through programmatic methods; only database administrators can have direct or query access; and application IDs for database applications can only be used by the applications (and not by users or non-application processes).

8.8 #

Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

More Information#

There might be more information for this subject on one of the following:

• Payment Card Industry Data Security Standard