From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation
Jump to search
Requirement 8: Assign a unique ID to each person with computer access.
- This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
- PCI-8.1 Identify all users with a unique username before allowing them to access system components or cardholder data.
- PCI-8.2 Employ at least one of the methods below, in addition to unique identification, to authenticate all users:
- Password Token devices (e.g., SecureID, certificates, or public key).
- Biometrics.
- PCI-8.4 Encrypt all passwords during transmission and storage, on all system components.
- PCI-8.5 Ensure proper user authentication and password management for non-consumer users and administrators, on all system components:
- PCI-8.5.1 Control the addition, deletion, and modification of user IDs, credentials, and other identifier objects.
- PCI-8.5.2 Verify user identity before performing password resets.
- PCI-8.5.3 Set first-time passwords to a unique value per user and change immediately after first use.
- PCI-8.5.4 Immediately revoke accesses of terminated users.
- PCI-8.5.5 Remove inactive user accounts at least every 90 days.
- PCI-8.5.6 Enable accounts used by vendors for remote maintenance only during the time needed.
- PCI-8.5.7 Distribute password procedures and policies to all users who have access to cardholder information.
- PCI-8.5.8 Do not use group, shared, or generic accounts/passwords.
- PCI-8.5.9 Change user passwords at least every 90 days.
- PCI-8.5.10 Require a minimum password length of at least seven characters.
- PCI-8.5.11 Use passwords containing both numeric and alphabetic characters.
- PCI-8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
- PCI-8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.
- PCI-8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID.
- PCI-8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
- PCI-8.5.16 Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other users.
--Mdpeters 12:57, 7 July 2006 (EDT)