PCI DSS Requirement 8: What Is It and How to Comply?

The sub-sub-requirements include:

• PCI DSS 8.1.1 – Assign unique IDs to all users before granting them access to the cardholder data environment (CDE).
• PCI DSS 8.1.2 – Manage which staff can add, delete, or edit user accounts or identifier objects, as well as credentials.
• PCI DSS 8.1.3 – Revoke access immediately when a user is terminated.
• PCI DSS 8.1.4 – Either terminate or disable user accounts if there are 90 days of inactivity.
• PCI DSS 8.1.5 – Manage all third-party IDs used to access systems, whilst restricting all access permissions where necessary, continuing to monitor while in use.
• PCI DSS 8.1.6 – Lock users out of accounts after a maximum of six failed login attempts.
• PCI DSS 8.1.7 – Set lockout durations for at least 30 minutes unless an authorised user enables the login.
• PCI DSS 8.1.8 – Request that a user log in again if they have been idle for over 15 minutes.

PCI DSS Requirement 8.2: Create user authentication policies.

Your business will have to establish authentication processes to identify the user. These authenticating factors can include passwords, specific devices, or a biometric scan, but must be used to safeguard accounts. The sub-sub-requirements are as follows:

• PCI DSS 8.2.1 – Implement cryptography when transmitting and storing of user credentials.
• PCI DSS 8.2.2 – Verify a user’s identity before editing their authentication credentials. 
• PCI DSS 8.2.3 – Ensure user passwords have a strength limit. This usually involves including a minimum of seven characters and at least one number, a letter and special character.
• PCI DSS 8.2.4 – Ensure user passwords are changed every 90 days.
• PCI DSS 8.2.5 – Do not allow users to reuse passwords and passphrases.
• PCI DSS 8.2.6 – Issue unique passwords for first-time users that they will need to change immediately after their first use.

PCI DSS Requirement 8.3: Implement Multi-Factor Authentication

Multi-factor authentication requires a user to go through more than one authentication process to prove their identity and gain access, especially when working remotely. This entails:

• PCI DSS 8.3.1 – Incorporating MFA for all non-console access to the CDE, including for those with administration privileges.
• PCI DSS 8.3.2 – Incorporating MFA for all user and admin access that is either remote or outside the company’s internal network.

It’s important to note that having two passwords does not constitute MFA.

PCI DSS Requirement 8.4: Ensure users are properly trained on account authentication.

PCI DSS Requirement 8.4 states that all policies and procedures related to user identification and authorisation must be documented.This includes guidance that allows the user to create suitably strong account credentials and will also inform them on how to protect, maintain, and make changes to these accounts.

PCI DSS Requirement 8.5: Reduce any generic or shared credentials.

Businesses should ensure that they immediately remove and replace all generic and shared user IDs. For service providers, this includes:

• PCI DSS 8.5.1 – Utilising unique user IDs for each customer in any situation involving remote access to the customers’ premises.

PCI DSS Requirement 8.6: Safeguard devices individually.

PCI DSS Requirement 8.6 states that if physical methods of payment, such as cards, or certificates are used, then their use needs to be carefully documented and restricted. This includes authenticating these methods by account and verifying the owner’s identity through either physical or logical controls.

PCI DSS Requirement 8.7: Ensure access to CDE databases is completely restricted.

Businesses must ensure that any user access to CDE databases takes place using programmatic methods, with all queries and direct access coming from the relevant administrators. Additionally, all user IDs for app access must be limited to in-app use.

PCI DSS Requirement 8.8: Document and distribute all policies.

All relevant staff will need to know and follow all security policies and procedures to ensure that access is limited on a ‘need-to-know’ basis. This can be done by documenting and distributing all policies throughout the workforce, ensuring staff are fully trained based on their privilege level.

Comply with PCI DSS Requirement 8 with Hicomply

PCI DSS compliance can mean incredible benefits for your business and for most, is completely mandatory. However, it can be hard to navigate, especially for those who are new to the certification.At Hicomply, we offer a full-fledged ISMS solution that takes all the stress out of the process – giving you compliance as you work! Contact us today for a demo.