The Merchant Processing Guru Tip# 37: The 12 requirements of PCI Compliance – Requirement #8

The Merchant Processing Guru Tip# 37: The 12 requirements of PCI Compliance – Requirement #8

Password Authentication
Assign a unique ID to each person with computer access. This requirement is requiring authentication for access by administrators, users and applications to any database containing cardholder data and the restriction of any database queries to administrators only.

You must assign a unique user name to each employee before allowing them access to any of your system’s components. Additionally you have 3 options for authenticating each user: A password, an access card or physical device and third biometric scanning or other recognition software.

If accessing the system via remote VPN or any other remote access to your network you should incorporate a two-factor authentication. For example one factor is login & password, the other using tokenization or some other dual-factor authentication method.

Of course passwords should be unreadable to others using strong cryptography and you should ensure proper user identification & authentication management on your system. This should include verification of the user’s identity before resetting a password. Control the addition, deletion or modification of a user’s credentials. Set all first time passwords using a unique value and require that the user change them immediately after first time use. Immediately revoke access to any terminated users and remove inactive user accounts every 90 days. Monitor vendor remote access and limit their access to the time period needed to perform their task. Require a minimum password length of at least 7 characters utilizing both numeric & alphabetic characters and limit the use of the same password within a period of at least one year. Limit repeat access attempts to no more than six before locking out the user & set the lockout for at least 30 minutes or until an administrator enables the user ID. Require the user to re-authenticate after being idle for 15 minutes. Do not use any group, shared or generic accounts & you should communicate all these policies & procedures to all users with access to cardholder data.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

This entry was posted in PCI compliance and tagged , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *