Requirement 8: Assign a unique ID to each person with computer access
Requirements Addressed
| 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data 8.1.3 Immediately revoke access for any terminated users. 8.1.4 Remove/disable inactive user accounts within 90 days. 8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: - Password or passphrase - Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys). 8.2.3 Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. 8.2.4 Change user passwords/passphrases at least once every 90 days. |
8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. 8.3 Two-factor authentication applies to users, administrators, and all third parties, including vendor access for support or maintenance. 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography. 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication 8.5.1: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. This requires service providers to use unique authentication credentials for each customer, such as two-factor authentication. The intent is to prevent multiple customers from being compromised by a single set of credentials. |
Solution Features
> Disk
Encryption
- Disk
encryption pre-boot environment is multi-user capable, allowing each user to
use their unique Windows user ID. Each user’s actions are logged separately
in the central audit trail.
-
Disk encryption and the admin console supports two-factor authentication with
smartcards or tokens.
Disk
encryption and the admin console support both user id/password and two-factor
authentication with smartcards or tokens.
- Solutions
do not store full disk encryption passwords. However, if it is configured to
store the password for recovery options, the password is encrypted and
protected by strong cryptography.
- Disk
encryption enforces password rules for minimum length and complexity, and
also forces password changes at configurable intervals. A configurable
password history function ensures users don’t reuse passwords too soon.
- Disk
encryption can also lock out users after a predefined number of wrong
password attempts.
|
-Service Providers with access to customer environments
MUST ensure unique password per customer.
-
Users can be centrally removed from machines, revoking all access after the
next policy refresh (configurable).
Provide
a central point of entry to authenticate, identify and log all user activity.
-Two
Factor Authentication
|
Contact us today to discuss your requirements in more detail.
P: +44(0)7714 209927
S: +44(0)1273 329753
| 
info@securenetconsulting.co.uk
|