What is PCI-DSS Requirement 8?
PCI-DSS Requirement 8.1 is put in place to ensure that all the business’ internal users of payment transaction systems have a unique user ID based on their job responsibilities. This creates a sense of accountability that allows problems to be solved quickly. The sub-sub-requirements include:
- PCI-DSS 8.1.1 – Assign unique IDs to all users before granting them access to the cardholder data environment (CDE).
- PCI-DSS 8.1.2 – Manage which staff can add, delete, or edit user accounts or identifier objects, as well as credentials.
- PCI-DSS 8.1.3 – Revoke access immediately when a user is terminated.
- PCI-DSS 8.1.4 – Either terminate or disable user accounts if there are 90 days of inactivity.
- PCI-DSS 8.1.5 – Manage all third-party IDs used to access systems, whilst restricting all access permissions where necessary, continuing to monitor while in use.
- PCI-DSS 8.1.6 – Lock users out of accounts after a maximum of six failed login attempts.
- PCI-DSS 8.1.7 – Set lockout durations for at least 30 minutes unless an authorised user enables the login.
- PCI-DSS 8.1.8 – Request that a user log in again if they have been idle for over 15 minutes.
PCI-DSS Requirement 8.2: Create user authentication policies.
Your business will have to establish authentication processes to identify the user. These authenticating factors can include passwords, specific devices, or a biometric scan, but must be used to safeguard accounts. The sub-sub-requirements are as follows:
- PCI-DSS 8.2.1 – Implement cryptography when transmitting and storing of user credentials.
- PCI-DSS 8.2.2 – Verify a user’s identity before editing their authentication credentials.
- PCI-DSS 8.2.3 – Ensure user passwords have a strength limit. This usually involves including a minimum of seven characters and at least one number, a letter and special character.
- PCI-DSS 8.2.4 – Ensure user passwords are changed every 90 days.
- PCI-DSS 8.2.5 – Do not allow users to reuse passwords and passphrases.
- PCI-DSS 8.2.6 – Issue unique passwords for first-time users that they will need to change immediately after their first use.
PCI-DSS Requirement 8.3: Implement Multi-Factor Authentication
Multi-factor authentication requires a user to go through more than one authentication process to prove their identity and gain access, especially when working remotely. This entails:
- PCI-DSS 8.3.1 – Incorporating MFA for all non-console access to the CDE, including for those with administration privileges.
- PCI-DSS 8.3.2 – Incorporating MFA for all user and admin access that is either remote or outside the company’s internal network.
It’s important to note that having two passwords does not constitute MFA.
PCI-DSS Requirement 8.4: Ensure users are properly trained on account authentication.
PCI-DSS Requirement 8.4 states that all policies and procedures related to user identification and authorisation must be documented.
This includes guidance that allows the user to create suitably strong account credentials and will also inform them on how to protect, maintain, and make changes to these accounts.
PCI-DSS Requirement 8.5: Reduce any generic or shared credentials.
Businesses should ensure that they immediately remove and replace all generic and shared user IDs. For service providers, this includes:
- PCI-DSS 8.5.1 – Utilising unique user IDs for each customer in any situation involving remote access to the customers’ premises.
PCI-DSS Requirement 8.6: Safeguard devices individually.
PCI-DSS Requirement 8.6 states that if physical methods of payment, such as cards, or certificates are used, then their use needs to be carefully documented and restricted. This includes authenticating these methods by account and verifying the owner’s identity through either physical or logical controls.
PCI-DSS Requirement 8.7: Ensure access to CDE databases is completely restricted.Businesses must ensure that any user access to CDE databases takes place using programmatic methods, with all queries and direct access coming from the relevant administrators. Additionally, all user IDs for app access must be limited to in-app use.
PCI-DSS Requirement 8.8: Document and distribute all policies.
All relevant staff will need to know and follow all security policies and procedures to ensure that access is limited on a ‘need-to-know’ basis. This can be done by documenting and distributing all policies throughout the workforce, ensuring staff are fully trained based on their privilege level.
Comply with PCI-DSS Requirement 8 with Hicomply
PCI-DSS compliance can mean incredible benefits for your business and for most, is completely mandatory. However, it can be hard to navigate, especially for those who are new to the certification.
At Hicomply, we offer a full-fledged ISMS solution that takes all the stress out of the process – giving you compliance as you work! Contact us today for a demo.