Castleforce IT Security Team

Implement Strong Access Control Measures

Requirement 8 Assign a unique ID to each person with computer access.

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorised users.

PCI DSS 8.1 Assign all users a unique username before allowing them to access system components or cardholder data.

PCI DSS 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:

  • Password or Passphrase
  • Two-factor authentication (e.g., token devices, smart cards, biometrics, or public keys)

PCI DSS 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

PCI DSS 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography based on approved standards (defined in PCI DSS Glossary, Abbreviations, and Acronyms).

PCI DSS 8.5 Ensure proper user authentication and password management for nonconsumer users and administrators on all system components as follows:

  • 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects
  • 8.5.2 Verify user identity before performing password resets.
  • 8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use.
  • 8.5.4 Immediately revoke access for any terminated users.
  • 8.5.5 Remove/disable inactive user accounts at least every 90 days.
  • 8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed.
  • 8.5.7 Communicate password procedures and policies to all users who have access to cardholder data.
  • 8.5.8 Do not use group, shared, or generic accounts and passwords.
  • 8.5.9 Change user passwords at least every 90 days.
  • 8.5.10 Require a minimum password length of at least seven characters.
  • 8.5.11 Use passwords containing both numeric and alphabetic characters.
  • 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
  • 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.
  • 8.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID.
  • 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal
  • 8.5.16 Authenticate all access to any database containing cardholder data.

This includes access by applications, administrators, and all other users.

Authentication Partners

Standard logins require a user name (often the active directory username) and a static password which even if complex can be beaten by hackers within minutes.

To truly achieve a sufficiently complex password we would recommend using Two Factor Authentication or Strong Mutual Authentication as this will fulfil the Access Control requirement and part of the mobile working requirement together.

CRYPTOCard is a leader and innovator in the Network Authentication Industry with its multi-award winning Two-Factor Authentication solutions CRYPTOCard is a leader and innovator in the Network Authentication Industry with its multi-award winning Two-Factor Authentication solutions. Crypto-Card have 2FA options for every scenario including tokens, magentic stripe access cards, USB tokens, tokenless on Blackberry and Windows mobile as well as software tokens and keyboardless logons and available in a managed service as well as local installation.

SecurEnvoy Next Generation Two Factor Authenication Tokenless Two Factor Authentication via SMS to mobile phones and utilises existing network directory structure so doesn't need separate database.  SecurEnvoy have a range of tokenless solutions to help with every authentication requirement.

Swivel-PINsafe-CESG-CCTM-multifactor-authentication Swivel PINsafe is a tokenless multifactor authentication solution based on patented technology, offer a CCTM accredited, cost effective image, browser and voice based authentication.

Vasco strong authentication  VASCO is the leading supplier of strong authentication and e-signature solutions and services specializing in Internet Security applications and transactions.

Contact Castleforce for help with PCI DSS

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Access Control and SSO Partners

Wallix AdminBastion and LogBastion  Wallix AdminBastion allows you to control access of your IT service providers, whether internal or external, privilege accounts and high-risk users. You can also record their work sessions and view them as and when needed (audit, incident, etc.). With WAB, you can easily manage IT team turnover, without running the risk of granting acess to your critical servers by individuals who are no longer authorised.

  • Session recording
  • SSH flow analysis
  • Access control
  • Real-time supervision

Single Sign On

Imprivata Single Sign-On Onesign appliance  Imprivata OneSign Single Sign-On provides a single action of user authentication permitting users to access all workstations and applications they are authorized to use.  Password-related calls to the IT helpdesk are virtually eliminated by centrally managing each user’s complete collection of application passwords and extending seamless and convenient single sign-on to any enterprise application.

Assuria Compliance and Vulnerability assessment, change detection, file integrity monitoring, Server Hardening and Log Management NETASQ-UTM-EAL4-Network-Security-appliances Boldonjames secure messaging and document solutions DESlock+ FIPS-140-2 CESG CCTM Full disk Encryption, Removable Media Encryption, Email Encryption, Folder Encryption Stonesoft produce high availability multi link ISP firewalls to help reduce single point of failure Sourcefire-3D System and masters of SNORT and CLAMAV InfoGov helps you to achieve compliance, manage risk and demonstrate good governance now, and into the future. Swivel-PINsafe-CESG-CCTM-the-power-of-knowing Lumension-Security-Patch-Management-and-end-point-protection Imprivata OneSign Single Sign-On (SSO) appliance Check Point firewalls and Pointsec Encryption software Wallix-AdminBastion-and-LogBastion-provide-access-control-and-monitoring-solutions

© Copyright Castleforce 2007-2012. Web design by Theme Group