By Tim Cranny
Panoptic Security Inc.
This installment of our multipart series drills down on the eighth of the 12 requirements of the Payment Card Industry (PCI) Data Security Standard (DSS). The article discusses what the issues are, what merchants need to do and what their ISOs, banks or processors can do to help them.
Requirement 8 is "Assign a unique ID to each person with computer access." It is the second part of the section called "Implement Strong Access Control Measures." The first part of that section (Requirement 7) laid out the high-level principles for controlling who gets access to sensitive cardholder data and systems. But Requirement 7 is deliberately short on details about what merchants should actually do and how to do it.
Requirement 8 plugs that gap when it comes to computers; it contains a long list of specific technical requirements on how to implement access control. The other main area of access control issues, physical security, is covered in Requirement 9.
The core idea behind Requirement 8 is that before you can control access, you first need to be certain who is trying to gain access. To use an analogy, there's not much value in having 10 bouncers at the front door of a nightclub with a detailed list of invited guests if a 60-year-old man can walk up and say, "I'm Paris Hilton. Let me in," and then be admitted.
Recognizing and "authenticating" people is not the same as access control, but it is the foundation of access control. And since modern computer systems can do access control naturally and easily once the authentication piece is taken care of, authentication has become the primary issue in most peoples' minds.
Requirement 8 is all about making sure that when someone tries to get access to a computer resource (a file or a program, for example) that relates to cardholder data, the system knows specifically who the person is claiming to be and can be reasonably confident that the individual is actually the person he or she purports to be.
This requirement is fairly technical. Despite that, it is usually not as problematic as other sections of the PCI DSS, mainly because most merchants are aware of the issues and the solutions, and also because many of the requirements are in the "Do it once, properly" vein rather than the more painful "Be sure to do this every day." Not all parts of Requirement 8 are like that though; important parts of it need regular attention and updating. Requirement 8 is also simpler than Requirement 7 in that it is less likely to trigger staff complaints or resistance; the issues are almost purely technical, rather than social, political or cultural.
To comply with Requirement 8, merchants need to ensure that they use passwords (or a suitable replacement like fingerprint scanning) carefully and completely. None of the individual requirements are particularly difficult or obscure. They include such steps as the following:
One requirement that will be less familiar to most merchants is the requirement that "two-factor authentication" be used for remote access (that is, logging on to computers or applications off-site). Two-factor authentication basically means using passwords plus something else to prove who you are; the "something else" could be a fingerprint, retinal scan, or a physical device like a smart card or dongle.
Using something else in addition to a password makes the authentication much stronger, which is a reasonable goal because allowing remote access is riskier than allowing on-site access only. The right approach to this issue is to prohibit remote access unless there is a clear and unavoidable need for it. As with all security concerns, avoiding the problem in the first place is the best route.
Some Requirement 8 particulars, like setting a minimum password length or enforcing automatic screensavers, are generally "Do it once, properly" issues. Others, like ensuring that old accounts are disabled, are necessarily an ongoing process and should be built into the company's standard operating procedures.
Because meeting these requirements depends in part on the behavior of payment applications used by merchants, it is just one of many reasons why merchants should make sure they are using certified systems.
Most of the issues raised by Requirement 8 are fairly familiar to merchants. As such, this requirement will typically be a low-pain part of a general PCI awareness and compliance program. ISOs and others should spend most of their effort and time on making sure that their programs can deal with the technical demands and support burdens of other, more challenging and painful, parts of PCI.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next